Sony's PSN terms and conditions are being challenged by ICO which claims the agreement users must comply with in order to sign up and use PSN, is not applicable by UK law.
T&C claims no liability
According to Sony's T&C, the firm is not liable for any loss of data or any "unauthorised access," to said data when using Sony Online Network. However, this is being challenged by ICO which claims that under the UK's Data Protection Act, "any individual or company which handles personal information (including names, email addresses and payment details) is required to keep that information secure," and Sony could face a penalty of £500,000.
The Information Commissioners Office has issued a statement to Edge saying that if UK residents' data is stored in the UK, "this clause would not free them from their obligations under the UK Data Protection Act," but since the independent firm is unaware of where UK user data is stored, it is unsure whether Sony can be held liable for any breach of consumer information or not at the moment.
"If we found a breach, one of the actions we could take would be to issue an undertaking, which is an agreement between the ICO and the company that if they are handling personal information they have to bring about set improvements in order for them to be compliant with the act," the ICO representative explained. "If the company is not compliant with the act within a certain time limit, further action would be taken and we might consider an enforcement notice or issue a monetary penalty.
"For serious breaches of the act, we can issue a monetary penalty up to £500,000."
To be considered a serious matter and able to be pursued, it would have to be proven Sony was aware of its security obligations and failed to act on them. It must also be proven that it caused undue stress to quite a lot of people.
A criminal matter
According to the Regulation of Investigatory Powers Act, the system hack also falls under criminal legislation overseen by the Metropolitan Police.
Per Jas Purewal of GamerLaw, account compromises "raise complex but increasingly common legal issues."
"They are governed both by the T&Cs applicable to the account as well as by more general legal principles," he explained. "Exactly how companies are required to deal with account compromises (including informing account holders of the compromise) will depend both on the T&Cs applicable to the account and the laws of the relevant countries - so there is no universal practice as such."
While the loss of data such as names, addresses and financial details could lead to both "regulatory action and lawsuits for compensation," should such information be used, Purewal said that since there is no misuse of such data a present, currently any legal claim against Sony would be difficult.
Until such a compromise occurs, it is hard to prove misuse of said data.