A Few Things We Can Learn from Sony

Eating up the data breach airways for the past month has been the hacking of Sony Pictures. As with any breach in the news, the Internet is full of articles criticizing Sony and its approach to not only the security issues but the messaging. That is not the purpose of this blog. Rather, I subscribe that all entities will be breached, and it is not a matter of "IF" but "WHEN." I would prefer to use the incident as an opportunity to discuss just a few key information privacy and security principles that I think have been illustrated by this breach. I would think any business, regardless of size or industry, would do well to consider each as an opportunity to learn more and continue to improve its data governance planning.

1. Pay attention.   Sony has had a long history of ongoing security issues. 2011, in particular, was not a good year for the company. In April of that year, the company's PlayStation Network was shut down for more than twenty days after user credentials, home addresses, and credit card information for 77 million users were stolen by hackers. Of note in the April 2011 breach was that passwords for the PlayStation network were not encrypted. Later, in May, over 20 million Sony Online Entertainment accounts were hacked. And, guess what? Unencrypted passwords were again considered to be the primary vulnerability. Later that same year, Sony Music Entertainment was hacked resulting in stolen credentials. Since then and in view of this most recent breach, there has also been commentary from former Sony employees that the company never implemented the necessary changes to keep their information safe.

It is not evident whether the recent breach could have been addressed by any such program implemented to address the 2011 issues. Furthermore, I think it is worth sharing here that I worked in the corporate space for years before becoming an attorney. I am not suggesting in any way that implementing change happens quickly in any large corporate enterprise. For example, could Sony have encrypted all passwords between April 2011 and May 2011? Perhaps. Perhaps not. A large ship does not turn on a dime. I get that.

However, any company in such a position should use such opportunities to understand and correct information security deficiencies. More importantly, it is critical to understand that the security process never ends. Rather, good information security practice continues to evolve to meet emerging threats. Such an approach may not stop every threat, but it can prevent a great deal of them and mitigate the harm from other threats. Do you think such a best practice is nice, but not necessary? Think again, as regulators from agencies such as the FTC and Office of Civil Rights have made it clear they expect to see documented evidence of a company's "lesson learned" from breaches or from its own audits. Indeed, as one regulator told me, the worst thing to do is have an audit that identifies a known risk or vulnerability and then do nothing to mitigate or fix it. Thus, paying attention and taking action will not only prevent attacks and mitigate harm, it can lessen the likelihood of steep enforcement actions or successful litigation resulting from future breaches.

2. Focus on the attacker and not just the attack. Building on the first principle, Sony, by virtue of its size and worldwide reach alone, should expect to be attacked on a regular basis. I am sure it does. Furthermore, based on the nature of the information it holds (celebrity information, financial data, personally identifiable employee information), the company should expect persistent attacks from focused hackers with exceptional expertise. Does this hacker profile include agents working inside North Korea allegedly upset about the release of a Sony picture in which the leader of North Korea is targeted for assassination? I don't know. The point is that a company should expect to be attacked, and regularly, in the Internet Age. Some companies should expect it even every minute of every day.

Thus, in addition to looking at actual vehicles for hacks, to include new malware and other reported threats, companies also need to ponder who would attack them and why. To properly plan ahead and implement a reasonable security program, a company needs to look outside itself and consider the long view. Who would be motivated to attack the company? Where are these people located? Are there authorities or resources that can assist in planning countermeasures for such attacks? Are there internal resources, employees, or employee practices that could enable such a hacker? Or do those risks lie with a company's third-party service providers, such as an HVAC company as we saw in the Target breach last year? The "who" here is very important because the attack vehicle will change, based on the success or failure of the attack. Understanding the "who" behind the attack might help a company to anticipate, if possible, the next attacks and plan for ways to stop them. I completely understand many companies with limited resources are just trying to keep the castle walls up and the moat dug. However, as part of a larger data governance plan, a company is well served to look beyond those walls to see what enemy forces might be amassing and why. Doing so will drive a better analysis and preparation for the attacks themselves.

3. Data retention and destruction. As I regularly speak on data governance, I stress the importance of administrative safeguards, one of which is having a plan for data retention and destruction. Believe it or not, how and for how long you hold on to data and when you destroy it are actually security steps and not just cost or spacing-saving measures. In these presentations, I often say "you don't have to safeguard what you don't have." This may be obvious but the facts involved in many breaches say otherwise.

Not surprisingly, considering prior breaches and hacks, Sony was allegedly still working through discussions on retaining e-mails beyond their useful or compliance-driven life. A recent blog in the (December 12, 2014) shared some insight on this very issue at Sony:

"In the year heading up to the hack, company lawyers discussed document retention policies — a subject that is certainly common inside legal departments in corporate America, but one that suddenly looks sadly ironic given what's transpired. According to, in a message titled "email purge," Weil argued with a colleague about whether the company should take a more cautious approach to retaining emails. "While undoubtedly there will be emails that need to be retained and or stored electronically in a system other than email, many can be deleted and I am informed by our IT colleagues that our current use of the email system for virtually everything is not the best way to do this," she wrote."

Such a discussion is indeed ironic considering Sony's breach, but it is hardly unique to Sony. Companies struggle with retention schedules all the time. In the face of cheaper storage space and more powerful computing, companies are often loathe to get rid of anything just in case something comes up, such as a new marketing opportunity. "Just in case" is not a data retention policy and presents as many legal obligations and risks as it does for security. The discussion can be difficult, heated, and unwanted as everyone is focused on their "real" jobs. But ignoring the discussion altogether is an invitation for disaster.

Again, it is always easy to pick on the latest victim of a cyber attack and hindsight is always 20/20. I prefer to use such moments as learning opportunities and focus on maybe the less obvious security and data governance principles at play. Taking a little time, making a plan and executing the plan can make a world of difference.