Sony Hack Attack Opens Minefield of Legal Questions That Has Hollywood Worried

In the aftermath of the cyber breach on Sony Pictures, lawyers wrestle with class action suits as execs ponder cyber security

If there’s a common note of caution from security experts in the wake of the Sony hack, it’s this: Nothing will be 100% foolproof.

That is a challenge from a legal perspective, as Sony is facing a class-action lawsuit that it didn’t take enough precautions against a massive data breach that the studio calls unprecedented. In other words, where does liability end and unforeseen circumstances begin?

Studios can certainly substantially reduce the risk of a data meltdown, but the ever-changing nature of cyber threats and, perhaps more importantly, the sheer number of employees and contractors working on a system, exposes vulnerabilities.

“I can tell you without any hesitation that every studio is taking this issue very, very seriously and investigating resources and seeking out personnel and ideas on how to make protection for their content,” says Chris Dodd, chairman of the MPAA.

Jason Greenberg for Variety

Matt Bogaard of security consulting firm the Bogaard Group Intl. says that colleagues have told him that long-in-the-works proposals for security controls among studios and entertainment firms are “all being approved today.”

A challenge, he says, is that companies can implement “the highest level of sophistication as far as firewalls and technology and compliance … but no matter how good it is there is always a people component. It is the people part of this whole situation that is very difficult. Everyone in the company has to participate in the solution.”

Dodd points to reports where attitudes are changing toward how employees view content security. “The good news is people realize after the Sony hack this is really serious stuff.”

Obviously, what woke people up was the insidious nature of the hack — and a seemingly unending stream of publicity that took on many different strands. After the FBI pinned the blame on North Korea, the White House went into top gear, pushing for legislation to deal with cyber attacks as well as announcing a series of executive orders.

On April 1, President Obama announced a new program that gives the government the ability to impose sanctions against groups and individuals who engage in cyber attacks, with penalties such as freezing of assets. It raises the possibility of sanctions for such activities as corporate espionage and stealing of trade secrets.

Dodd said that there seems to be bipartisan consensus on the need for legislation on cyber threat information sharing between private companies and federal agencies, as well as measures to provide more resources to legal authorities to prosecute such crimes.

More uncertain are prospects for proposed legislation, like measures to establish uniformity in laws on requirements for companies to inform customers and their employees of a data breach.

That is among the issues brought up by nine former Sony employees who filed a class-action lawsuit against Sony even as the studio was still grappling with the full measure of the damage.

The plaintiffs in the case characterize the breach as an “epic nightmare, much better suited to cinematic thriller than to real life.” They contend that Sony did not maintain “reasonable and adequate” security measures to protect employees’ personal information, like social security numbers, salary, and data about bank accounts and health insurance.

The suit accuses the studio of failing to maintain basic measures like access controls and requiring passwords with complexity and encryption. It also contends that Sony left employees in the dark about the scope of the breach.

A hearing is scheduled for May 11 in a federal court in Los Angeles on Sony’s motion to dismiss the case.
There’s been anticipation that the studio’s defense will be that the attack was massive and unprecedented — and therefore unforeseeable. FBI’s Joseph Demarest even testified before a congressional committee that the malware used in the attack could have gotten past “90% of the net defenses that are out there today in private industry.”

But Sony’s lawyers are first trying to end the plaintiff’s case by arguing they don’t have standing to sue because they have “not alleged any legally cognizable harm.” In other words, the ex-employees are suing over their fears of what could happen to their personal information, not over losses resulting from the breach.

Such an attempt to get a case dismissed on such procedural grounds is not a surprise, given the tremendous legal costs if the case moves to a discovery phase, when there could be a full examination of just what type of security protocols Sony had in place, says Bryan Sullivan of the law firm Early Sullivan.

If the litigation moves forward, he says, “I think this is going to lay out a roadmap for the studios (focusing on) what is reasonable in a given situation.” Questions to ask, he adds, include: What precautions are a reasonable company supposed to take? What happens if you buy NSA software and still get hacked?

“It’s not an easy question to answer, which is why Sony is trying to attack this litigation right away,” he says.

Popular on Variety

More Biz

  • Mass Appeal and Universal Launch Hip-Hop

    Nas, Mass Appeal and Universal Music Launch Hip-Hop Label in India, Sign Divine

    Mass Appeal and Universal Music Group today announced the launch of Mass Appeal India – a new label dedicated to amplifying India’s burgeoning hip-hop culture on a global scale. The new label’s operations will be based Universal Music India’s headquarters in Mumbai and will function as a multi-channel partnership between the two companies. According to the announcement, Mass Appeal India will sign and [...]

  • Harvey Weinstein, center, arrives to court

    Weinstein's Attorneys Seek to Move Trial to Long Island or Albany

    Harvey Weinstein’s attorneys want his rape trial moved to Long Island or Albany, citing the “circus-like atmosphere” surrounding the courthouse in Manhattan. Weinstein is set to go on trial on Sept. 9 on five charges of rape and sexual assault. The disgraced producer faces a potential life term if convicted. In a motion to the [...]

  • Edge, left, Adam Clayton, and Bono

    New York’s PlayStation Theater to Close (EXCLUSIVE)

    New York’s PlayStation Theater, a 2,100-capacity venue located in Times Square and operated by Bowery Presents, will close at the end of 2019, a source close to the situation tells Variety. The venue will close with a New Year’s series of shows from the Disco Biscuits. The theater, which is located two stories beneath the [...]

  • Courtesy of Earwolf

    How Lauren Lapkus Tossed the Script and Created a Podcasting Hit

    Lauren Lapkus has tossed the script on what makes most podcasts a hit. At a time when many of the most downloaded shows are true crime investigations or celebrity interviews, she’s doing something entirely different on each episode of “With Special Guest Lauren Lapkus.” Each hour-long installment is a free-wheeling, completely improvised ride. One show [...]


    WWE's 'NXT' Moves to USA Network as Wrestling Competition Heats Up

    WWE has struck a deal to move its “NXT” franchise focusing on rising stars to USA Network starting next month. “NXT” will shift to USA from the WWE Network subscription streaming service as of Sept. 18. The deal comes as USA is about to lose WWE’s “SmackDown” showcase to Fox starting in October. USA is [...]

  • Shazam

    Apple Music Launches 'Shazam Discovery' Chart, Focused on New Artists

    Apple Music today launched the “Shazam Discovery Top 50,” a weekly, global ranking of 50 artists that it describes as “on the move and trending” — in other words, new and emerging artists. While the company wouldn’t say much specifically about how the chart is tabulated, it uses “Shazam’s proprietary algorithms [to offer] a unique predictive view [...]

More From Our Brands

Access exclusive content