Sony breach a strong case for online insurance

Guest opinion: Why online service providers need to cover their users.

Users of online services will rightly be sceptical about the safety and confidentiality of their information held by online service providers following the breach of Sony’s PlayStation Network late last month.

Sony's PlayStation Network (PSN) is pushing hard to win back user confidence after reportedly losing as many as 77 million customer records, and 10 million credit card numbers.

Sony has apologised to users, offered all PSN customers a month of free PlayStation Plus membership, and extended subscriptions of PlayStation Plus and Music Unlimited customers.

If Sony were to compensate users for the inconvenience, the cost would be in the millions of dollars. Most importantly, the cost of winning back user confidence will be much higher.

Data breaches do come at considerable cost to victims. Sony's users are concerned about the privacy and safety of their personal and financial information. If their financial details are used illegitimately, they may end up suffering thousands of dollars of financial loss. Identity theft might haunt some users’ for the rest of their lives.

Is insurance a solution?

To build user confidence, online service providers should consider bundling their services with insurance to protect themselves from any financial consequences.

Insurance will help both sides: educating users that online systems are not 100 percent secure; and ensuring that providers are responsible for user data and are prepared to compensate users for any financial loss.

Transferring the risk to an insurance provider and sharing the cost of insurance will cover both service providers as well as users.

Tanveer A Zia, Senior Lecturer
Charles Sturt University

But this does not mean that by educating users about the security risk and providing insurance, online service providers will have less responsibility to protect their systems.

Cybercrime affects not only Sony users; every day, there are millions of users making online transactions, using internet banking, and supplying their personal and financial information to dozens of vendors.

If a vendor such as Sony, which defines itself as a cutting-edge technology provider, has been exposed to such a mass online security breach, how about the other vendors? There is a need for tougher security procedures and for these procedures to be enforced. 

Any breach that involves an online system will have a significant impact not only on the consumers, but the entire industry. Cybercrime regulations need to be redefined, with clear descriptions of offenses and consequences for offenders.

The Privacy Act in Australia – which regulates how personal information is collected, used and disclosed – makes the vendor responsible for the breach and the penalties include changes to vendor practices or procedures, and compensation for financial or non-financial loss.  

Such regulations should be enforced on service providers and any weaknesses in security processes need to be taken very seriously.

Besides PSN users, several legislative authorities have called for answers from Sony about the breach. These include the US House of Representative subcommittee on Energy and Commerce, the UK Information Commissioner's Office, the Law and Regulations Commission of Taipei, Taiwan, Canada’s Privacy Commission, and the Australian Privacy Commissioner.

Sony claims it had no evidence that personal financial information was compromised and therefore it didn’t violate any laws by not notifying users sooner. This is debatable and the legal consequences for not notifying users sooner should be assessed by the authorities in each state or country.

Dr Tanveer Zia is a senior lecturer at the Charles Sturt University's School of Computing and Mathematics.