Privacy & Information Security Law Blog

On April 26, 2011, Sony Computer Entertainment America (“Sony”) disclosed an information security breach that may affect up to 77 million consumers.  On Sony’s PlayStation blog, Patrick Seybold, Senior Director of Corporate Communications and Social Media, wrote that an unauthorized person intruded into Sony’s PlayStation Network and Qriocity streaming music and video service between April 17 and April 19, 2011, and may have obtained users’ names, addresses, email address, birthdates, passwords and logins.  Mr. Seybold wrote that “out of an abundance of caution” Sony was advising its users that their credit card information also may have been obtained.  The blog post also noted that Sony is taking steps to address the breach, which include (1) turning off PlayStation Network and Qriocity services, (2) engaging an external security firm to investigate the incident, and (3) enhancing information security and strengthening its network infrastructure.  Sony further advised users to “review your account statements and to monitor your credit reports,” and provided the contact information for the three major credit bureaus in the United States.

Sony’s blog post came almost a full week after it shut down the PlayStation Network and Qriocity services causing widespread confusion and consternation among its users.  In response to Sony’s disclosures about the breach, Senator Richard Blumenthal (D-CT), who has long focused on privacy issues, sent a strongly-worded letter to the CEO of Sony demanding answers to questions about the breach and asserting that “PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony.  Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.”

On April 27, 2011, a PlayStation Network user filed a nationwide class action lawsuit in the U.S. District Court for the Northern District of California, alleging that Sony did not take “reasonable care to protect, encrypt, and secure the private and sensitive data of its users” and that Sony’s delay in notifying affected individuals hurt the ability of those individuals “to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.”