If there’s a common note of caution from security experts in the wake of the Sony hack, it’s this: Nothing will be 100% foolproof.
That is a challenge from a legal perspective, as Sony is facing a class-action lawsuit that it didn’t take enough precautions against a massive data breach that the studio calls unprecedented. In other words, where does liability end and unforeseen circumstances begin?
Studios can certainly substantially reduce the risk of a data meltdown, but the ever-changing nature of cyber threats and, perhaps more importantly, the sheer number of employees and contractors working on a system, exposes vulnerabilities.
“I can tell you without any hesitation that every studio is taking this issue very, very seriously and investigating resources and seeking out personnel and ideas on how to make protection for their content,” says Chris Dodd, chairman of the MPAA.
Matt Bogaard of security consulting firm the Bogaard Group Intl. says that colleagues have told him that long-in-the-works proposals for security controls among studios and entertainment firms are “all being approved today.”
A challenge, he says, is that companies can implement “the highest level of sophistication as far as firewalls and technology and compliance … but no matter how good it is there is always a people component. It is the people part of this whole situation that is very difficult. Everyone in the company has to participate in the solution.”
Dodd points to reports where attitudes are changing toward how employees view content security. “The good news is people realize after the Sony hack this is really serious stuff.”
Obviously, what woke people up was the insidious nature of the hack — and a seemingly unending stream of publicity that took on many different strands. After the FBI pinned the blame on North Korea, the White House went into top gear, pushing for legislation to deal with cyber attacks as well as announcing a series of executive orders.
On April 1, President Obama announced a new program that gives the government the ability to impose sanctions against groups and individuals who engage in cyber attacks, with penalties such as freezing of assets. It raises the possibility of sanctions for such activities as corporate espionage and stealing of trade secrets.
Dodd said that there seems to be bipartisan consensus on the need for legislation on cyber threat information sharing between private companies and federal agencies, as well as measures to provide more resources to legal authorities to prosecute such crimes.
More uncertain are prospects for proposed legislation, like measures to establish uniformity in laws on requirements for companies to inform customers and their employees of a data breach.
That is among the issues brought up by nine former Sony employees who filed a class-action lawsuit against Sony even as the studio was still grappling with the full measure of the damage.
The plaintiffs in the case characterize the breach as an “epic nightmare, much better suited to cinematic thriller than to real life.” They contend that Sony did not maintain “reasonable and adequate” security measures to protect employees’ personal information, like social security numbers, salary, and data about bank accounts and health insurance.
The suit accuses the studio of failing to maintain basic measures like access controls and requiring passwords with complexity and encryption. It also contends that Sony left employees in the dark about the scope of the breach.
A hearing is scheduled for May 11 in a federal court in Los Angeles on Sony’s motion to dismiss the case.
There’s been anticipation that the studio’s defense will be that the attack was massive and unprecedented — and therefore unforeseeable. FBI’s Joseph Demarest even testified before a congressional committee that the malware used in the attack could have gotten past “90% of the net defenses that are out there today in private industry.”
But Sony’s lawyers are first trying to end the plaintiff’s case by arguing they don’t have standing to sue because they have “not alleged any legally cognizable harm.” In other words, the ex-employees are suing over their fears of what could happen to their personal information, not over losses resulting from the breach.
Such an attempt to get a case dismissed on such procedural grounds is not a surprise, given the tremendous legal costs if the case moves to a discovery phase, when there could be a full examination of just what type of security protocols Sony had in place, says Bryan Sullivan of the law firm Early Sullivan.
If the litigation moves forward, he says, “I think this is going to lay out a roadmap for the studios (focusing on) what is reasonable in a given situation.” Questions to ask, he adds, include: What precautions are a reasonable company supposed to take? What happens if you buy NSA software and still get hacked?
“It’s not an easy question to answer, which is why Sony is trying to attack this litigation right away,” he says.