Everyone by now has heard the rhetoric, foreign policy debate and Hollywood gossip surrounding the massive data breach at Sony Pictures Entertainment, reportedly engineered by the government of North Korea. While its immediate impact affects popular culture — withdrawal of the film The Interview from its U.S. premiere and theatrical exhibition — far less discussed have been the likely effects of the high-profile intrusion and theft on cybersecurity issues at the corporate officer and Board of Directors level.
For five reasons, this episode may well (and to this blogger, should) turn out to be a tipping point in the adoption by corporate boards and officers of strong cyber threat prevention, detection and remediation practices.
- Corporate IP and Trade Secrets Are Valuable. In addition to the internal and embarrassing hacked emails, the Sony Pictures cyber intruders also absconded with the script of a forthcoming, new James Bond film along with internal Sony P&Ls, and actual expense compilations, for movie productions. These are intellectual property (IP) and very sensitive trade secrets, different and far more valuable corporate assets than routine customer social security or credit card information; they represent the results of R&D and creative risk-taking, thus directly undercutting profitability, and reflect non-public business information subject to extremely limited distribution. Per-picture budgets and profitability, for instance, have been a huge Hollywood issue for decades, with writers, stars and directors all jockeying for a share of profits but largely lacking documentation of actual profit margins. That’s bad enough for Sony, but imagine (as a hypothetical) that hackers manage to steal the digital plans for Boeing’s next commercial aircraft or source code for Microsoft’s next release of Windows or the even more secret formula for Coca-Cola? Those jewels of corporate intellectual property could be the Chernobyl of cyber breaches if hacked by competitors, extortionists or both.
- Plaintiffs Have Standing to Sue. The federal courts to date have largely been unresponsive to consumer class actions arising from merchant and retailer data breaches, on the theory that until stolen data is actually used against a victim, he or she has not been directly injured and thus lacks standing to sue. That is not the case where it is corporate IP that is hacked, because (a) the stock market quickly adjusts share prices downwards for the costs of legal defense and likely loss of sales revenue, and (b) stockholders by definition have standing to sue where share prices fall, which is classic financial “injury.” This means that claims under the federal securities laws for misleading statements or lack of disclosure related to cybersecurity incidents, as well as so-called derivative actions against directors and officers for negligence or breach of fiduciary duty, are far more likely to be filed and make it to the merits, that is trial. The 100+ lawsuits against Target for its late-2013 consumer breach could understate the claims potentially leveled against Sony management and directors by an order of magnitude.
- Insurance May Not Cover the Losses. Many corporate boards are indemnified by the company, for all but malfeasance or gross negligence, which increases the costs of corporate legal claims arising from cyber breaches. Yet those costs may or may not be covered by ordinary liability and “errors or omissions” insurance policies. The coverage question is complicated, but it’s a fervent area of insurance law with lots of room for missteps, on both sides. Without insurance coverage, management and corporate boards will be forced to take significant charges or reserves against earnings to cover those potentially huge expenses, which only reinforces the financial and likely stock price impacts of hacking.
- State-Sponsored Corporate Hacking is Warfare. The major cybersecurity public policy issue in 2014 was whether threat information should be shared between the private sector and government. Legislation (the Cybersecurity Information Sharing Act or “CISA”) to jump-start threat sharing, by creating public records release and antitrust exemptions, failed in the U.S. Senate. Now it seems that the most immediate result of the Sony Pictures breach will be a non-partisan push for enactment of that bill ASAP, with expansion to include the Department of Defense as well as DHS being rumored. The Washington Post has already reported that “As the fallout from the cyberattack against Sony Pictures grows amid reports that the hack may be linked to the North Korean government, lawmakers and the Obama administration are calling on Congress to focus heavily on cybersecurity legislation after the holiday recess.” Where the cyber threat is from a foreign state, in other words, even the robust capabilities available in private sector data protection are likely insufficient to robustly guard a company’s IP. State-sponsored hacking is corporate espionage on steroids.
- Even Embarrassing Stuff Has Big Legal Consequences. State law has established a number of torts related to the publication of true but embarrassing, or private, information on people, often compiled into a catch-all “invasion of privacy” moniker. Ordinarily it is the publisher or speaker who is liable and the target of litigation claims. But those same torts apply to anyone with a duty of care to the plaintiff, and it is difficult to see how a company does not have a duty to keep private and potentially embarrassing email discussions reasonably safe from theft by outsiders. The legal framework is complicated by more archaic doctrines of ownership of corporate email content, but the risk is extremely large where the industry is a lucrative one. Silicon Valley executives make as much, if not more via stock and options, than their Hollywood counterparts. So the consequence is that more of the privacy tort claims already filed against Sony will become commonplace if internal corporate communications — as the publicity surrounding Sony Pictures executives’ racially insensitive jokes suggests clearly — become a target of opportunity hackers looking for blackmail evidence.
Like all prognostications, these are predictions, not guarantees. But the one certain thing is that after the Sony Pictures breach, corporate boards and management will be paying much closer attention to cybersecurity, at the very least because it is now hitting them where it huts the most: in the pocketbook and bank account.
Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.