Sony’s announcement on Tuesday of the sheer scale of the security breach that forced it to shut down the PlayStation Network (PSN) is causing a firestorm of potential legal and political trouble that seems unlikely to die down any time soon. The lawsuit filed on Wednesday may very well be the first of many.
A San Francisco law firm announced the filing of the first class-action lawsuit against the company. The Rothken Law Firm filed the suit in federal court in the Northern District of California yesterday. The firm's website said that the complaint alleges that Sony failed to take reasonable care to protect, encrypt, and secure the private and sensitive data of its users,
Sony blogged last night that PSN user credit card information given the company was encrypted.
The focus so far seems to be on Sony’s failure to disclose how severe the security breach actually was right away (While Sony brought down PSN on the 20th they didn’t reveal that customer’s personal information had been compromised until the 26th), but some security experts that PCWorld contacted think that the breach itself could be grounds for a lawsuit. “I think the other issue at play here is going to be one or more lawsuits in which gross negligence will be proven if Sony doesn’t settle out of court” says Randy Abrams, Director of Technical Education at security company ESET.
But legal problems seem to be just the tip of the iceberg for Sony. In addition to the obvious trust issues Sony will face with customers, the company is also encountering mounting regulatory problems resulting from the security breach. Members of Congress are already getting involved: Mary Bono Mack of California, chair of the House Subcommittee for Commerce, Manufacturing and Trade, has opened an investigation on the matter.
Representative Bobby Rush of Illinois and Senator Tom Carper of Delaware have both gone a step further and begun pushing for more serious cyber-security legislation. In a letter to Sony CEO Howard Stringer, Senator Richard Blumenthal of Connecticut stated, “I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach.”
But the US government isn’t the only one getting into the act: Regulatory agencies from around the world have opened investigations into the PSN intrusion. Britain’s Information Commissioner’s office and Canada’s Privacy Commissioner have both opened investigations to see if Sony violated the law by not better protecting user’s personal information.
While only time will tell which of these are serious threats to Sony, and which are attempts to grab press in the wake of the security breach. That said, matters will likely get worse for Sony before they get better, especially since the company thinks PSN will remain down for at least another week. If you’ve used PSN and are concerned about your personal data, check out our survival guide to figure out what the intruders may have on you and what to do about it.
[Tony Bradley contributed to this report.]