At the end of the year, I think it’s likely that the hacks against Sony’s networks from this past Spring will turn out to be one of the most significant events in IT security this year. The breadth of these hacks, and the consequences on both the company and users were severe, with their PlayStation Network (PSN) being down for over a month, and other online systems being affected as well. Confidence in Sony’s professionalism went down, and users became very unhappy.
Right away, some of the more obvious consequences were seen plainly. The most pressing issue was to determine who was behind it, and that caused a lot of drama around the web. Then there were compensations paid by Sony for over 100 million accounts that had been affected. But lately, another consequence resulted directly from those hacks, and was much less publicized.
A few weeks ago, Sony updated its Terms of Service for all users of Sony’s PSN in the US, Canada, and other parts of the world. For now, Europe and Australia aren’t affected. This text was added:
“Any Dispute Resolution Proceedings, whether in arbitration or court, will be conducted only on an individual basis and not in a class or representative action or as a named or unnamed member in a class, consolidated, representative or private attorney general action.”
Sony is basically forcing all its users to agree not to sue them in a class action suit, or participate in one. Instead, if they get hacked again, and you feel they were criminally negligent with your credit card information or other personal data, you will have to go to court yourself, with no other support. You’ll have to rely on arbitration with Sony, or pay for court fees yourself if you can’t come to an agreement with the company.
Of course most users won’t scroll down to read that, and will instead click on the Accept button. Even if they know, since the other alternative is to close your Sony account and sell your PlayStation products, chances are people will whine about it, but still make do. However, is it legal? Apparently it is, as Sony has been quick to point out to CNN. In a recent ruling in an AT&T case, the Supreme Court said that such language was acceptable.
The only silver lining they gave users was to also add this part, which allows you to keep the right to sue them, but you have to formally request it, by writing:
“If you do not wish to be bound by the binding arbitration and class action waiver in this section 15, you must notify SNEI in writing within 30 days of the date that you accept this agreement. Your written notification must be mailed to 6080 Center Drive, 10th Floor, Los Angeles, CA 90045, ATTN: legal department/arbitration”
But it doesn’t end there. While Sony caught some flack for doing this, they held strong, and other companies were paying attention. Electronic Arts just recently made a change to the Terms of Service of its own online services, which look strangely similar:
“By accepting these terms, you and EA expressly waive the right to a trial by jury or to participate in a class action.”
These terms also apply to Origin, the new online distribution service from EA, and in this case users have much to lose, like their payment information, should some kind of hack occur. Note however that in this case, users of Quebec, Russia, Switzerland, or Member States of the European Union are excluded from the new terms.
With this becoming a common part of the terms for online services, and such big companies using them, it’s only a matter of time before this is standard practice in any company’s online system. It takes a lot of power away from the user, because everyone knows that suing a large company is not realistic in most cases, unless you have access to a room filled with lawyers. This is why class action suits exist.
Thinking about the future, it’s easy to see how companies no longer think of security as strictly a computer thing, something left to the IT crew, and for which management doesn’t care much about. Now, hacks can cost money, and so the executives are no longer content with leaving such an important issue to the network gurus. It’s going to be a multi-faceted approach. Securing the networks for many of them is only a means to an end. The end is making money, or in this case, making sure they don’t lose any.
As the world watched Sony’s reputation go down, and its costs go up, while it dealt with the multiple hacks that were done against its networks, the company quickly realized it was vulnerable. And the solution they found was both brilliant and terrifying. Regardless of how unhappy your customers get, make sure that whatever they do, it can’t affect your bottom line.