27 janvier 2013

Royaume-Uni: sanction pécuniaire contre Sony (PlayStation)

Le 14 janvier dernier, l'Information Commissioner's Office (ICO) du Royaume-Uni a prononcé une sanction pécuniaire d'un montant de 250000 £ (+/- 397000 $can ou 294000 euros) contre l'entreprise Sony suite à un incident de sécurité survenu en avril 2011 (billet). 

Il est rappelé que l'environnement de la PlayStation a fait l'objet de plusieurs attaques conduisant au vol de nombreux renseignements personnels: 
"5. ---, the Network Platform was inflitrated following several Distributed Denial of Service (DDoS) attacks on various online networks of the Sony group. The attacker accessed personal data stored on the Network Platform which included customers' names; addresses; email addresses; dates of birth and account passwords. [...] 
8. In addition, it is estimated that -- million of the customers had registered payment card details to their account although there is no evidence that the encrypted payment card details were accessed."
(Source: Décision du 14-01-2013, p. 3)
Et, l'ICO précise qu'au moment des attaques Sony n'offrait pas un niveau de sécurité suffisant et, allait ainsi à l'encontre des exigences du Data Protection Act 1998, plus particulièrement du principe 7 qui se lit comme suit: 
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 
Dès lors, l'ICO est d'avis que Sony n'a pas rempli ses obligations en matière de protection des renseignements personnels ce qui est susceptible de causer un préjudice pour les personnes dont les renseignements personnels ont été touchés par les attaques:  
"- The Commissioner is satisfied that there has been a serious contravention of section 4(4) of the Act [i.e. "it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller"]
In particular, the data controller failed to ensure that appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Network Platform such as additional cryptographic controls to protect passwords; --- prior to the hacking attack and addressing the system vulnerabilities at the relevant time. 
The contravention is serious because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing and the nature of the data to be protected. 
- The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress. The data controller's failure to ensure that appropriate technical measures were taken was likely to cause substantial damage or substantial distress to data subjects whose personal data has been or may been accessed by third parties and could be further disclosed. [...]"
- The Commissionner is satified that section 55A(3) of the Act applies in that the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention. [...]"
(Source: Décision du 14-01-2013, p. 5)
Dans ces circonstances, l'ICO considère que l'atteinte est suffisamment grave pour prononcer une sanction pécuniaire à l'encontre de Sony. 
"The Commissioner considers that the contravention of section 4(4) of the Act is very serious and that the imposition of a monetary penalty is appropriate. Further that a monetary penalty is the sum of £250,000 (two hundred and fifty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty"
(Source: Décision du 14-01-2013, p. 8)
Il est à noter que l'ICO a le pouvoir de prononcer des sanctions pécuniaires en vertu de l'article 55A du Data Protection Act 1998 qui se lit comme suit: 
55A - Power of Commissioner to impose monetary penalty
(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that:
 (a) there has been a serious contravention of section 4(4) by the data controller,
 (b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
 (c) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the data controller:
 (a) knew or ought to have known:
  (i) that there was a risk that the contravention would occur, and
 (ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
 (b) failed to take reasonable steps to prevent the contravention.
[...]
En terminant, précisons que Sony a jusqu'au 14 février 2013 pour s'acquitter de cette somme, étant entendu que 
"The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England."
(Source: Décision du 14-01-2013, p. 9)
et que Sony a jusqu'au 13 février 2013, 17 heures, pour faire appel de cette décision.   

À suivre donc. 

Pour aller plus loin: 

Aucun commentaire:

Enregistrer un commentaire

Remarque : Seul un membre de ce blog est autorisé à enregistrer un commentaire.