Customers and employees entrust their personal information to businesses on a daily basis and expect that these businesses will treat that information with the care and respect it deserves by implementing the proper safeguards to keep it safe. However, just recently (and this is far from the only instance of organizational data breach), users of Sony’s PlayStation Network (PSN) online gaming platform have had their bank or credit card details stolen in two serious breach of the electronic giant’s security in less than a week. The company warned that more than 12,000 users worldwide have had their credit or debit card details compromised.
The company also said that names, addresses, emails, birthdates, phone numbers and other information from 24.6 million PSN accounts may have been stolen from its servers as well as from an “outdated database”.
The incidents are under investigations and lawsuits have been filed against Sony. Closer to home, a proposed class-action lawsuit has been filed in Ontario on behalf of about one million Canadian PSN and Qriocity (another Sony online media network) users for breach of privacy. The lawsuit claims damages in excess of $1 billion, which includes having Sony pay the costs of credit monitoring services and fraud insurance coverage for two years.
Sony “failed to adequately safeguard certain personal information, financial data and usage data”.
“The defendants delayed notifying the proper law enforcement agencies and delayed in notifying and/or warning the plaintiff and other class members of the potential theft of their personal information and/or financial data”.
The representative plaintiff in the action stated in a press release, “If you can’t trust a huge multinational corporation like Sony to protect your private information, who can you trust?”
Clearly, keeping private information private has become increasingly difficult.
In the wake of such data breaches, the federal, Alberta and British Columbia Privacy Commissioners launched, on May 3, 2011, a new online self-assessment questionnaire to help organizations better protect customers’ and employees’ personal information.
Securing Personal Information: A Self-Assessment Tool for Organizations is a detailed questionnaire and analysis tool that will help businesses assess how well they are complying with private-sector privacy laws. Under all of these laws, organizations that collect or hold personal information must take steps to protect the information from unauthorized access, collection, use, disclosure, copying, modification, disposal and destruction.
The tool can be used by any private-sector organization, particularly small and medium-sized businesses.
“Cleaning up after a data breach can be very costly for business,” warns BC Privacy Commissioner Elizabeth Denham. “In addition to the time and energy that needs to be diverted in order to mitigate the damage, a breach can also harm an organization’s reputation, and that can be much costlier than investing in better information-security practices in the first place.”
Moreover, businesses should take the time to find out if there are any gaps in their information-security processes and implement corrective measures to prevent or reduce the risk of costly data breaches.
Once you’ve assessed your workplace, take a look at First Reference’s Protecting employee and customer privacy, a how-to guide for private-sector organizations on compliance with privacy laws and protecting personal information. The guide will help you understand the “why”, “what” and “how” of privacy legislation and what you need to implement. For more information on how to purchase the guide, click here.
First Reference Human Resources and Compliance Managing Editor