Article published in 2011.
Like Sony, gambling operators hold a significant volume and variety of customer data, including names and contact details, passwords and user ids, and financial and social information. The Sony headlines serve as a stark reminder of the importance of data security. As the Sony saga has demonstrated, a security breach can lead to reputational damage, as well as significant financial costs in supporting customers, compensating those affected, investigating the security breach and preventing its recurrence - even before the relevant regulator has determined whether the security breach was caused by non-compliance with data security obligations.
Sony's security breach may be an extreme case, but it is by no means an isolated one; security breaches hit the headlines on an almost daily basis. The UK data security regulator, the Information Commissioner's Office (the "ICO"), is adopting an increasingly pro-active stance on security breaches, and now has power to issue monetary fines of up to £500,000 for substantial breaches of the data protection legislation. This, coupled with the ICO's policy of publishing all enforcement action taken, means that dismissing the risks associated with a security breach is not a realistic option.
In this article we examine the data security obligations that are imposed upon organisations that process customer data, how these obligations apply in the context of the Sony security breach, and how gambling operators should manage the legal and commercial risks if a security breach occurs.
In the UK organisations' obligations around security of customer data are set out in the Data Protection Act 1998 (the "Act"); similar obligations apply throughout the European Union. The Act applies whenever a "data controller", such as a gambling operator, processes personal data. "Personal data" will typically be all information which relates to a customer, such as name, contact details or financial information. The crux of the Act is that it imposes an obligation on all data controllers to comply with eight data protection principles, which broadly require fairness, proportionality and data quality in all data processing. The seventh principle deals with security and stipulates that:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The security measures required are those appropriate to the harm that could result from a loss of the particular data or its unauthorised processing. In practice, this means that gambling operators must assess the security options available in light of the potential harm, cost of the security measure, level of sensitivity of the data, and the technology available; different levels of security may be appropriate to different types of data.
The seventh principle is most obviously pertinent to such things as laptop computers and PDAs holding personal data. However, the potential for risk must be assessed for data held in all formats. An organisation which relies on its online presence and remote data storage may view itself as at a lower risk of security breaches than one which heavily utilises portable media for data storage. However, data controllers which are wholly online are vulnerable to many forms of attack, including denial of service attacks and hacking, as Sony discovered.
If the gambling operator has comprehensively considered the risks and has pro-actively implemented data security measures, it is likely to be compliant; its obligations do not extend to establishing a research and development department to design unhackable code. However, the ICO has made it clear that, alongside technological measures, such as encryption and firewalls, measures such as staff training and Kensington locks are also vital to compliance.
Both the Act and the ICO recognise that security breaches caused by a weakness in technological security coupled with human error can be contrasted with a security breach caused by sophisticated hackers mounting an organised attack on a protected system. In the case of the former, a data controller is highly likely to fall foul of the Act; whereas, in the case of the latter, a data controller will not be in breach of the Act if it can show that appropriate security measures were taken.
Encryption standards are always evolving, and ICO advises data controllers to implement a solution which meets or exceeds the current standard (such as FIPS 140-2 standard). The ICO also specifically refers to ISO standards 27001 and 27002 in its framework code. Whilst a higher standard of security applies to more sensitive data, the framework code suggests adopting a 'highest common denominator' approach whereby all data is secured to the highest level.
Currently, the Act does not require data controllers to notify the ICO or affected individuals following a security breach. However, the Gambling Commission's Information Security Code of Practice requires licensed operators to notify the Gambling Commission of any major breach of information security which adversely affects the confidentiality of customer data or prevents customers accessing their accounts for a substantial period. A review of the data protection legislation is also underway at European Union level and there have been discussions over introducing a mandatory requirement to notify information security regulators in the wake of high profile security breaches.
A data controller remains liable for the processing of the customer data, even if that processing is sub-contracted to a third party data processor. Therefore, gambling operators should ensure that any such contract contains contractual provisions imposing on their sub-contractors security obligations which mirror the gambling operators' own seventh principle obligations, and should then monitor their sub-contractors' compliance with those provisions.
THE SONY SECURITY BREACH, AND ITS CONSEQUENCES
The saga of the Sony PlayStation data security breaches is a real-life example of what can happen when things go wrong.
Sony closed its Sony PlayStation Network and six days later announced that a hacking attack had been made on the network and that users' details had been stolen.
It's not yet clear whether this security breach constitutes a breach of the Act. The data was stolen after a successful illegal intrusion onto the network. However, Sony's obligation under the Act is to take 'appropriate measures' to protect adequately the data held. So far Sony has been tight lipped on the details of how this hack was successful and the state of its security systems. The ICO has not yet taken any enforcement action, but has undertaken to make "further enquiries to establish the precise nature of the incident" before taking a decision on Sony's compliance with its security obligations under the Act. To demonstrate compliance with the Act, Sony will need to show that it had in place security measures proportionate in sophistication, cost and in light of the potential harm, and that the attack was perpetrated by highly advanced hackers who were extremely effective.
Sony initially blamed the security breach on the infamous hacker group 'Anonymous'. The group has denied direct involvement with the main attack, but in April this year issued a threat to Sony following its legal action against a hacker who cracked the source code for the PlayStation 3. It could be argued that this threat gave Sony warning of a potential attack even if the actual attack came from elsewhere. The ICO could take the view that Sony breached the Act by not then reviewing the robustness of its security measures.
Sony's announcement six days after taking the network offline was met with widespread anger from users. Sony has come under heavy criticism in the media both for the security breach itself and for its handling of the notifications. In recent weeks there have also been further attacks and security breaches in other parts of Sony's empire, only serving to exacerbate its problems.
There have been a number of consequences in the wake of Sony's notification of the security breach:
Regulators: Regulators in a number of jurisdictions (including Ireland and the UK) have announced investigations into the incident.
As the details of the security breach have not been made public, it is difficult to assess how the ICO will respond. On the face of it, Sony seems to have been the unlucky victim of cybercrime. However, the ICO's investigation may reveal that Sony's security systems were weak, or that Sony failed to respond effectively to the threat from the hacking group, leading the ICO to conclude that Sony had not complied with its data security obligations.
If the ICO concludes that a breach has taken place, he may issue an enforcement notice, compel Sony to make an undertaking (ie a legally binding commitment from Sony to implement specific measures to achieve compliance going forward, such as implementing security measures, improving policies or implementing more detailed solutions following an audit of its operations) and/or impose a fine of up to £500,000. Whatever the ICO's decision, it will be published.
Civil actions: Sony's management of customer complaints will be key in mitigating civil claims.
In the UK, an individual can claim compensation for damage or distress caused by a data controller's breach of the Act, although the data controller will have a defence if it can show it had taken such care as in all the circumstances was reasonably required. Successful claims of compensation have been rare and awards tend to be low.
A number of civil actions have been raised in the US and Canada on the basis that Sony "failed to safeguard adequately certain personal information, financial data and usage data". Interestingly, an action raised in Ontario also cited the failure to notify the customers and the regulators as further non-compliance.
A further issue raised in the class action brought in the California Court was Sony's compliance with its contractual undertakings to the consumers - a reminder that, in addition to statutory liability, data controllers may be in contractual breach of their own customer terms and conditions.
Brand: The most critical damage is that done to the brand. Sony has faced a massive backlash from once loyal users in the aftermath of this security breach. The trust of its consumers has been compromised, and it remains to be seen whether this may be regained. For Sony, a regulatory fine is likely to be a drop in the ocean compared to the cost of negative publicity. Even if the ICO ultimately concludes that Sony has not breached the Act, the damage to the brand has already been done.
Sony has recently estimated the cost of the hacking and data breaches at a staggering $170 million, which does not include the potential cost of compensating customers should they fall victim to identity theft or if any class action suits are successful.
PREPARE FOR THE WORST
The Sony case study highlights the importance of data security. The most damaging consequence of potential security breaches is not a fine or enforcement action by a regulatory authority, but the damage to the brand and, for on-line systems in particular, the loss of confidence in the security of its system.
Therefore, it is crucial that gambling operators manage the expectations of their customers and take care to assess what would be acceptable and proportionate for the customer, not just "what is the minimum that we can do to comply with the law?".
If a breach does occur, effective handling of the response is key. This means planning and preparing for such an event in advance. A policy should be drawn up, under which it is suggested that prompt notification is made to both the customers and the regulators. All staff should have data protection training appropriate to their role, and appropriate compensation, support and remedial plans should be prepared.
The Sony incident has demonstrated that a prompt response and notification to consumers is absolutely imperative to reduce consumer backlash and damage to reputation.
The risks are exacerbated by the potential global nature of an online gambling operator. Different jurisdictions impose varying degrees of security standards. Adopting a 'highest common denominator' approach may be more onerous and expensive, but can minimise the risk of non-compliance, and also ensure that in the event of a security breach customers do not identify a disparity in their protection based on jurisdiction.
In a fast-paced, competitive market, there is no shortage of other operators waiting to collect disenchanted customers in the wake of a controversial security breach. Customer data is a key asset for gambling operators, who would be well advised to view its security as a priority.