Tis the Season: Little Joy from the Sony Data Breach

The Sony data breach makes for amazing theater. There are the nasty and caddy emails from Sony executives about famous people. And the growing evidence that this was a state-sponsored attack that originated in North Korea. Then, of course, there is Sony’s recent decision to pull “The Interview” from release in theaters. You couldn’t make up this stuff.

But underneath this drama, there is also the very real damage to many Sony employees who had sensitive personal and financial information exposed. Data breaches are fundamentally about disrupting people’s lives. Often for profit. Sometimes, as it may be this case, just out of spite. But as we learned during 2014, organizations are extremely vulnerable and cyber attackers are very capable.

The Sony breach it has been estimated will ultimately cost Sony over $100MM, as noted in a recent Wall Street Journal article. And there is discussion that Sony knew that their security controls were inadequate, and just accepted that as something they were happy to accept. In a 2007 interview, Sony’s director of information security Jason Spaltro even flaunted their lack of appropriate security investments by stating that “I will not invest $10 million to avoid a possible $ million loss.” Well, I guess in retrospect, that didn’t seem like a good bet after all.

It is particularly frustrating that the laxity of one’s employer (or retailer or information vendor, for that matter) may trump and individual’s efforts to be careful and protect their personal information from theft and misuse.

As noted in a recent TechCrunch post, “you may be doing everything possible to protect yourself online, but your employer may be laissez faire about the whole thing. This is the position that over 6,500 current (and many former) employees of Sony find themselves in today.”

Now, we find out that these employees may also have had sensitive health information exposed as well in the hack. CSO Online has published in detail the entire spectrum of personal information that was exposed in the breach per the Sony breach notification letter that was sent to employees.

They note that “unauthorized individuals may have obtained HIPAA protected health information, such as name, social security number, claims, appeals information submitted to SPE (Sony Pictures Entertainment) including diagnosis and disability code, date of birth, home address, and member ID number…”

We also now have several class action lawsuits that have been filed against Sony as noted by Wired. The most recent one described the situation as an “epic nightmare, much better suited to a cinematic thrilled than real life….Sony gambled, and its employees – past and current – lost.”

While such class actions have not typically prevailed, there is speculation that the FTC also may take an interest in the Sony case. “Sony could also face trouble with the Federal Trade Commission for deceptive trade practices, notes Brian Hall, a partner in the labor and employment department of the PorterWright law firm.”

So as we’re approaching the end of 2014, what should organizations that maintain sensitive personal data on employees and customers, as well as other valuable proprietary business information, consider making as their 2015 new years resolution?

I’d suggest that they commit to “upping their game” when it comes to privacy and security investments for securing data assets and better managing privacy incidents. Most major corporations don’t consider security and privacy a board-level issue. Sony’s plight many lead them to re-think that position.