The Sony Hack is big news and big news for lawyers.
Besides the international political implications, celebrity backstabbing, studio politics and the involvement of a North Korean dictator, there are a number of legal angles already emerging with more to come.
Of course, there’s lawsuits. Sony has brought in Boies Schiller & Flexner to assist as well. So underlying the big legal story is a big technology story. Here are a few easily digestible takeaways for lawyers about the computing component to this story.
Factual Background
In late November, the first reports of an attack on Sony Pictures Entertainment (SPE) became public. Confidential emails from top SPE executives were made public, unleashing a torrent of controversy.
Sony’s corporate servers were hijacked by malicious software. Rumors emerged it was as a result of cyber-attack in retaliation for a movie that parodies North Korean dictator Kim Jong-un.
The hackers returned with another attack on the corporate servers and left threats referencing 9/11 if the movie were to be screened.
Sony pulled the picture from release after theaters announce they would not show it out of concern for public safety.
U.S. Officials confirmed North Korea is behind the attack and are considering an appropriate response.
The Secretary of Homeland Security has suggested that “Every C.E.O. should take this opportunity to assess their company’s cybersecurity.”
So what are some key takeways for lawyers in thinking about cybersecurity?
1. This Was No Run-of-the-Mill Hack
If a low-impact hack is hijacking someone’s Twitter feed – this sits at the opposite end of the spectrum. It wasn’t just an email hack – malicious software placed on Sony’s corporate servers erased vast amounts of data, connected with servers outside its firewall, and released confidential employee information publicly. The hackers left ‘backdoors’ so they could get in again.
It’s an “unprecedented” event on a scale never seen before.
2. Even The Most Sophisticated Internet Companies Cannot Secure Their Networks
Think twice if you believe your law firm’s or corporate defenses are sufficient to ensure that confidential client data is secure.
Because, if a company that has millions of users online can’t keep hackers out, your law firm network probably can’t either. Compare your organization’s resources to Sony.
3. Data Security Companies Apparently Can’t Secure Data Behind The Firewall
The FBI reported that the Sony hackers would have compromised 90% of commercially available technologies. As in 9 out of 10 technologies would not have prevented this attack.
Pretty low odds. It appears only the government would stand a chance against a hack of this caliber. Essentially it would take an army.
4. Antivirus Software Apparently Doesn’t Work So Well
The security firm brought in by Sony reported that the malware used would have been “undetectable by industry standard antivirus software”. That’s not good news.
5. Hacking A Network Is A Way Get Back At An Opponent
Trying to stay under the radar with a low profile is not a security strategy for law firms. You wouldn’t keep a briefcase of cash in the office – your client’s data is no less valuable.
Obviously, law firms represent companies against specific entities with adverse interests. Securing their data is a minimum ante – and hoping for anonymity is not a viable security strategy.
6. Think About Mitigating Risk
Securely hosting data presents tremendous challenges for law firms. Is the risk worth it?
There’s prevailing thought in the security industry that there are two types of companies: Companies that know they’ve been breached and those that don’t know yet that they’ve had a breach.
It’s not just external threats, as Edward Snowden has shown, even the NSA isn’t immune to internal breaches that have equally devastating effects.
Mitigating the cybersecurity risk begins with understanding your current security processes. For example, does your firm’s email and privileged data reside on the same network and behind the same security architecture? If so, then both are at risk from a single breach.
Being 100% certain that your organization won’t be breached isn’t possible. But taking steps to prevent how widespread a breach would be, is possible.
