The office of the Australian Privacy Commissioner has declared that while Sony Australia should have notified its customers more quickly of April's infamous PlayStation Network security breach, it did not breach the country's Privacy Act.
This act regulates how companies transfer customer information to other parties or agencies, and earlier this year the Australian Privacy Commissioner began an investigation to verify whether Sony had violated the law.
After examining information provided by Sony Australia, however, the Privacy Commissioner determined that the company had not breached the act, and that the leak was the "result of a sophisticated security cyber attack on the Network Platform's systems."
In its report the Commissioner's office also pointed out that Sony Australia "held no personal information relating to the incident." Rather, the stolen data was stored in a data center in San Diego, California.
In addition, the report notes that "the Privacy Commissioner was also satisfied with how the incident was dealt with following the breach in terms of the extra security measures that have been implemented to help protect personal information."
However, the Commissioner said that the seven-day period between Sony Europe becoming aware of the incident and notifying its consumers was far too long.
"Given his concerns over the period that elapsed before Sony notified its customers, the Privacy Commissioner strongly recommended that Sony review how it applies the OIAC's Guide to handling personal information security breaches," the report said.
Earlier this year, the Australian government announced plans to implement new laws that would force companies to report security breached quickly in direct response to this year's PSN breach.