Serious cyber attacks on Japanese companies' data networks are increasing in scale and frequency, as highlighted by the recent high profile attacks on Sony, Sega and Nintendo, all incidents widely reported by the international media.
In addition to general liability for compensation claims, the regulation of such security breaches is becoming increasingly onerous within the European Union (EU). Multinational Japanese companies in all sectors should therefore understand their potential liability and regulatory obligations in the event of a security breach.
In this newsletter we look at:
- the recent Sony security incident;
- the scope of general liability and EU regulation;
- EU enforcement measures;
- EU proposals to extend compulsory breach notifications;
- general liability for compensation claims; and
- recommendations for Japanese companies.
Sony security incident
During April 2011, Sony discovered that a number of its servers had been hacked, compromising the personal details of 100 million users of various gaming and online entertainment services. The information compromised included customer names, addresses, email addresses, gender, birth dates, telephone numbers, log-in names and hashed passwords, as well as some direct debit records listing bank account numbers of customers in Germany, Austria, The Netherlands and Spain.
Sony was forced to close down its PlayStation network and Sony Online Entertainment service for a number of weeks and has had to respond to numerous regulators’ requests and subpoenas in various jurisdictions. A potential class action lawsuit has also been filed in the United States. The claimants allege that Sony knew its security measures were inadequate and that it did not seek to protect its customers' data to the same level as its own intellectual property.
Sony has already implemented a programme of amends for customers but the costs of the incidents are still being calculated by the company.
Scope of general liability and EU regulation
All multinational Japanese companies which suffer a security breach are potentially liable to have civil claims brought against them by customers who have incurred damage as a result (see 'General liability for compensation claims' below).
In addition, since May 2011 providers of electronic communications services (ECS) in the EU are now subject to compulsory data breach notification requirements. A Japanese company providing ECS (which includes cloud computing providers, ISPs and telecoms operators) to customers within the EU will therefore be required to notify:
- the relevant National Regulatory Authority (NRA) (if the security incident will have a significant impact on the continuity of their communications network and services); and
- the relevant national Data Protection Agency (DPA) (if the incident involves the accidental or unlawful destruction or loss of, or unauthorised access to, personal data).
In certain circumstances, the company may even be required to notify the relevant individuals whose data have been compromised (see our June 2011 newsletter).
EU enforcement measures
A Japanese company which is an ECS provider that fails to comply with applicable compulsory breach notification obligations may be subject to enforcement measures, including:
- NRA Breach Remedy Notices: a notice from the relevant NRA requiring the provider to remedy the breach. NRAs also have the power to notify NRAs in other Member States and ENISA (the EU regulator);
- NRA Information Gathering Powers and Fines: the relevant NRA has powers to gather information from the provider regarding the security breach and can impose fines for failing to comply with such information-gathering orders;
- NRA Service Suspension Order: in serious or recurrent cases, the NRA may even order the provider to suspend providing services until the breach is remedied; and
- DPA Monetary Penalties: separately, the relevant DPA may impose fines or other sanctions for security breaches.
EU proposals to extend compulsory breach notifications
Whilst such compulsory breach notifications are currently limited in the EU to the communications sector, Viviane Reding, Vice President of the European Commission and EU Justice Commissioner, clearly indicated in June 2011 the Commission's intention to introduce a mandatory requirement to notify data security breaches for all sectors as part of the imminent reforms to the Data Protection Directive (95/46/EC).
In July 2011, the Commission subsequently issued a public consultation seeking views on the practical rules that are required in order to ensure that personal data breaches are notified in a consistent way across the EU. Of particular interest to multinational Japanese companies, the Commission wants to learn more about cross-border security (e.g. where a data controller established in one Member State suffers a breach which affects individuals based elsewhere) to ensure that any future implementing measures take full account of the needs of all parties involved.
General liability for compensation claims
In addition to enforcement measures, Japanese companies in any sector which are subject to security breaches causing damage to the relevant individuals whose data has been lost or stolen may be subject to civil claims for compensation. Such claims may potentially be brought under specific legislation (e.g. the UK Data Protection Act) or on more general legal grounds such as breach of contract or negligence. The willingness of individuals to commence litigation in respect of data loss was highlighted by the recent US class action brought against Microsoft group companies for the 'Sidekick' data loss incident.
Recommendations for Japanese companies
Network security breaches such as the Sony incident are a real potential risk for all multinational Japanese companies. Whilst the EU compulsory breach notification obligations are currently limited to the communications sector, the Commission has indicated that this is the 'thin end of the wedge' and that in due course it intends that all other sectors will become subject to similar regulation.
Accordingly, it is important for multinational Japanese companies operating within the EU to monitor legislative developments and consider how they will implement appropriate organisational and technical measures to ensure that they will be able to comply with such requirements in the event of security breaches, as well as mitigate potential liability for compensation claims.