Everyone by now has heard the rhetoric, foreign policy debate and Hollywood gossip surrounding the massive data breach at Sony Pictures Entertainment, reportedly engineered by the government of North Korea. While its immediate impact affects popular culture — withdrawal of the film The Interview from its U.S. premiere and theatrical exhibition — far less discussed have been the likely effects of the high-profile intrusion and theft on cybersecurity issues at the corporate officer and Board of Directors level.
For five reasons, this episode may well (and to this author, should) turn out to be a tipping point in the adoption by corporate boards and officers of strong cyber threat prevention, detection and remediation practices.
- Corporate IP and Trade Secrets Are Valuable. In addition to the internal and embarassing hacked emails, the Sony Pictures cyber intruders also absconded with the script of a forthcoming, new James Bond film along with internal Sony P&Ls, and actual expense compilations, for movie productions. These are intellectual property (IP) and very sensitive trade secrets, different and far more valuable corporate assets than routine customer social security or credit card information; they represent the results of R&D, thus directly undercutting profitability, and reflect non-public business information subject to extremely limited distribution. Per-picture budgets and profitability, for instance, have been a huge Hollywood issue for decades, with writers, stars and directors all jockeying for a share of profits but largely lacking documentation of actual profit margins. That’s bad enough, but imagine (as a hypothetical) that hackers manage to steal the digital plans for Boeing’s next commercial aircraft or source code for Microsoft’s next release of Windows or the even more secret formula for Coca-Cola? Those jewels of corporate intellectual property could be the Chernobyl of cyber breaches if hacked by competitors, extortionists or both.
- Plaintiffs Have Standing to Sue. The federal courts to date have largely been unresponsive to consumer class actions arising from merchant and retailer data breaches, on the theory that until stolen data is actually used against a victim, he or she has not been directly injured and thus lacks standing to sue. That is not the case where it is corporate IP that is hacked, because (a) the stock market quickly adjusts share prices downwards for the costs of legal defense and likely loss of sales revenue, and (b) stockholders by definition have standing to sue where share prices fall, which is classic financial “injury.” This means that claims under the federal securities laws for misleading statements or lack of disclosure related to cybersecurity incidents, as well as so-called derivative actions against directors and officers for negligence or breach of fiduciary duty, are far more likely to be filed and make it to the merits, that is trial. The 100+ lawsuits against Target for its late-2013 consumer breach could understate the claims potentially leveled against Sony management and directors by an order of magnitude.
- Insurance May Not Cover the Losses. Many corporate boards are indemnified by the company, for all but malfeasance or gross negligence, which increases the costs of corporate legal claims arising from cyber breaches. Yet those costs may or may not be covered by ordinary liability and “errors or omissions” insurance policies. The coverage question is complicated, and beyond the scope of this blog, but it’s a fervent area of insurance law with lots of room for missteps, on both sides. Without insurance coverage, management and corporate boards will be forced to take significant charges or reserves against earnings to cover those potentially huge expenses, which only reinforces the financial and likely stock price impacts of hacking.
- State-Sponsored Corporate Hacking is Warfare. The major cybersecurity public policy issue in 2014 was whether threat information should be shared between the private sector and government. Legislation (the Cybersecurity Information Sharing Act or “CISA”) to jump-start threat sharing, by creating public records release and antitrust exemptions, failed in the U.S. Senate. Now it seems that the most immediate result of the Sony Pictures breach will be a non-partisan push for enactment of that bill ASAP, with expansion to include the Department of Defense as well as DHS being rumored. The Washington Post has already reported that “As the fallout from the cyberattack against Sony Pictures grows amid reports that the hack may be linked to the North Korean government, lawmakers and the Obama administration are calling on Congress to focus heavily on cybersecurity legislation after the holiday recess.” Where the cyber threat is from a foreign state, in other words, even the robust capabilities available in private sector data protection are likely insufficient to robustly guard a company’s IP. State-sponsored hacking is corporate espionage on steroids.
- Even Embarrassing Stuff Has Big Legal Consequences. State law has established a number of torts related to the publication of true but embarrassing, or private, information on people, often compiled into a catch-all “invasion of privacy” moniker. Ordinarily it is the publisher or speaker who is liable and the target of litigation claims. But those same torts apply to anyone with a duty of care to the plaintiff, and it is difficult to see how a company does not have a duty to keep private and potentially embarrassing email discussions reasonably safe from theft by outsiders. The legal framework is complicated by more archaic doctrines of ownership of corporate email content, but the risk is extremely large where the industry is a lucrative one. Silicon Valley executives make as much, if not more via stock and options, than their Hollywood counterparts. So the consequence is that more of the privacy tort claims already filed agianst Sony will become commonplace if internal corporate communications become — as the publicity surrounding Sony Pictures executives’ racially insensitive jokes suggests clearly — a target of hackers looking for blackmail evidence.
Like all prognostications, these are predictions, not guarantees. But the one certain thing is that after the Sony Pictures breach, corporate boards and management will be paying much closer attention to cybersecurity, at the very least because it is now hitting them where it hurts the most: in the pocketbook and bank account.
For more information, please contact Glenn Manishin.
December 19, 2014 No Comments
September 23, 2014 is fast approaching! It is the date by which all Business Associate Agreements (BAAs) must be brought into compliance with the HIPAA Omnibus Final Rule. On January 17, 2013, HHS published the Omnibus Rule which made significant modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. Covered entities and business associates generally had until September 23, 2013 to comply with the changes made by the Omnibus Rule. This included bringing certain of their BAAs into compliance. Recognizing, however, that covered entities and business associates may have many BAAs, the Omnibus Rule included an alternative compliance date of September 23, 2014 to update BAAs where (1) there was a compliant BAA in place on January 25, 2013, and (2) the BAA was not modified between March 26, 2013 and September 23, 2013.
With the September 2014 deadline looming, covered entities and business associate are refocusing their attention on BAAs. Covered entities are trying to ensure that they have the appropriate agreements in place with their business associates. Likewise, business associates are making sure that they have proper agreements with their subcontractors.
August 28, 2014 No Comments
It is a fact of modern commerce that consumers consider online reviews when deciding how to spend their dollars on everything from music, to local restaurants, to electronics. But what happens when a business wants to use those reviews to formulate advertising claims? [Read more →]
August 25, 2014 No Comments
In an oral ruling from the bench, Judge Lorraine Preska of the Southern District of New York recently affirmed Magistrate Judge James Francis IV’s April 29, 2014 decision – Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation, (S.D.N.Y. Jul. 31, 2014), – and rejected Microsoft Corporation’s bid to quash a warrant for the search of an Irish user’s content-based information, which was located in a Microsoft data center located in Ireland.
As you may remember from our previous posts, the Stored Communications Act, 18 USC §§ 2701 through 2711, represents, among other things, an attempt at balancing the privacy rights of individuals who expect that their electronic information will remain private against the government’s legitimate interest in gaining access to such information during criminal investigations.
August 13, 2014 No Comments
Health care apps are everywhere. Electronic medical records and mobile devices have led to an explosion of new applications for health care providers and patients. The US Department of Health and Human Services, has provided financial incentives to health care providers to adopt EMRs and provide and to share health data electronically. Since 2011, HHS has supported the widespread adoption of electronic health record (EHR) technology through its Medicare and Medicaid EHR Incentive Programs, which provide money to eligible practitioners and hospitals that can show that they are “meaningfully” using their EHR according to certain specified measures. New and innovative mobile applications can turn platforms in to medical devices. While exciting, this raises obvious questions about data privacy and patient safety. As the use of more advanced technology becomes widespread in the health care industry, questions have arisen surrounding the level and type of regulation required to ensure patient safety.
August 4, 2014 No Comments
If you have a union in your workplace, or if unions have tried to organize workers in your workplace, you know that unions need ways to communicate with your employees. Before the current digital age, unions relied primarily on communicating through informational picketing and leafleting, posters and mailings, and individual and group meeting to encourage unionization or to communicate with members and represented employees. Today, with the modern workplace and internet-connected workers, communications can be conducted far more quickly, efficiently, cheaply and often more effectively through electronic means, such as email. But historically, unions have not been permitted access to company email systems. The current rule is that “employees have no statutory right to use the[ir] Employer’s e-mail system” for non-work-related purposes. If unions and the current Presidential administration get their way, that all might change.
July 22, 2014 No Comments
Breaking the Seal: Does Using Third Party eDiscovery Vendors Raise Privilege and Work Product Issues?
We’re not breaking news when we tell you that the exponential growth of electronic documents generated by clients has complicated the discovery process. Reducing this massive volume of information down to the relevant information needed to resolve a dispute requires the use of technology for collecting, filtering, processing, analyzing and producing electronically stored information. Attorneys now have to deal with metadata, servers, and social media in order to litigate the merits of cases. Ethics rules have been modified to require lawyers to understand the risks and benefits of technology. And preservation sanctions have alerted attorneys to the need to understand the difference between an email server and a locally-archived PST file. Attorneys should not try to lead double lives as data processors and litigators. Given the real need to properly handle these issues, consulting technology and litigation support providers is common and necessary. But does involving these third-party resources create a risk to the attorney client privilege or work product protections?
July 17, 2014 No Comments
Twice previously this year, we posted about the potential consequences to cloud-based media from the legal dispute between streaming video service Aereo and the television broadcast industry. Last week, the Supreme Court, in a 6-3 opinion, resolved much of the uncertainty detailed in those earlier posts. While the Court ruled against Aereo – holding that its transmission of the broadcasters’ content amounted to a public performance and thus violated the networks’ copyright – the majority’s decision took pains to limit its decision to the facts at issue. Justice Breyer, delivering the opinion of the Court, noted that “we have not considered whether the public performance right is infringed when the user of a service pays primarily for something other than the transmission of copyrighted works, such as the remote storage of content.”
June 30, 2014 No Comments
It should no longer be news that, for parties to most lawsuits, responding to discovery entails searching, reviewing, and producing electronically stored information. Also widely recognized is the fact that electronic discovery can be a costly, time-consuming burden. This burden is magnified for a nonparty subject to a request for ESI who likely won’t see any corresponding upside – that is, no need to use the documents produced to support a claim or defense of their own and no need to receive documents from others for the same purposes. Fortunately, therefore, there are some protections built into the Federal Rules that may minimize the burden to a nonparty on the receiving end of a subpoena. But given the relative scarcity of legal authority on the topic, the varying approaches at the state level, and specific facts of any particular case, nonparties facing discovery demands should try to negotiate a response plan that reduces legal risks and costs. A reasonable plan may even include cost shifting.
June 23, 2014 No Comments
Over the past few years, both the Equal Employment Opportunity Commission and the Federal Trade Commission have been closely scrutinizing the time-honored practice of employee background checks. We’ve posted about background checks before – particularly the risky business of relying on online information brokers instead of, or in addition to, a bona fide credit reporting agency. But the EEOC and FTC recently took the very unusual step of jointly issuing two guides on employment background checks, so we thought it might be helpful to give our readers a refresher.
May 1, 2014 No Comments