Sony’s unenviable status as the victim of the record theft of 77,000,000 individuals’ personal information underscores a reality that the on-line business community would like its army of customers to forget: it’s not just that the so-called “hackers” can be very good at what they do, it’s that the appointed guardians of legally protected personal information are not necessarily awake at the switch. Two weeks after this “illegal and unauthorized” intrusion — which took place sometime between April 17 and April 19, there is still no confirmation that Sony’s PlayStation and its related service, Qriocity, had adequate (or any) security.
There have been numerous suggestions that the PlayStation’s basic encryption of protected personal information was weak or non-existent. What other explanation could there be for Sony blogging to its customers that it might be able to restore “some services within a week” than an apparent mad scramble at Sony to create a secure platform for its popular on-line gaming services, or at best fix a platform that was demonstrably flawed?
Sony’s public silence on the matter is troubling, yet it underscores the peculiar burden-shifting regime that seems to be emerging by default. While the plethora of statutes regulating the protection of sensitive personal data require hacked companies like Sony promptly to notify their customers and provide such benefits as credit monitoring services, there has been little action by enforcement authorities to regulate companies before a breach, in a manner that would require implementation of sophisticated, upfront securitization of the protected personal information companies collect and thereby avoid preventable breaches.
As a result of this reactionary regulatory scheme, on-line businesses seem to be operating in a “buyer beware” world, where the burden of data security falls on the consumer. Since Sony’s data loss reportedly extends to the names, birthdates and purchase histories of the children of families whose credit card and account information may also have been comprised, it may be time for consumers to insist that more attention be paid by the regulators to ensuring the implementation of prophylactic, site security “best practices” and not just on rules for cleaning up the mess after it has happened.