Serious cyber attacks on multinational companies’ data networks are increasing in scale and frequency. This was highlighted in April 2011 when a number of Sony’s servers were hacked and the personal details of 100 million users of various gaming and online entertainment services were compromised. Sony was forced to close down its PlayStation network and Sony Online Entertainment service for a number of weeks and had to respond to numerous regulators’ requests and subpoenas in various jurisdictions. A potential class action lawsuit has been filed in the United States.
All multinational companies which suffer a security breach are potentially liable to have civil claims brought against them by customers who have incurred damage, for example, claims under specific legislation (eg the UK Data Protection Act) or on more general legal grounds (eg breach of contract, negligence). In the EU, providers of electronic communications services must now notify the national communications regulator (and, potentially, the data protection regulator) in the event of a security breach. Failure to comply may result in enforcement measures such as fines, audits, information provision orders and, in serious or recurrent cases, suspension of service.
The European Commission has indicated it intends that all other sectors will become subject to similar regulation. Multinational companies operating within the EU should therefore monitor legislative developments and consider how they will implement appropriate organisational and technical measures to ensure they can comply with such requirements in the event of security breaches, as well as mitigate potential liability for compensation claims.