For the Office of General Counsel, It's A

WHITE PAPER: THE TRUE IMPLICATIONS OF THE SONY HACK

White Paper FOR THE OFFICE OF GENERAL COUNSEL, IT’S A SCARY CYBER- WORLD OUT THERE CASE-IN-POINT: THE TRUE IMPLICATIONS OF THE SONY HACK

© Copyright 2017 WindTalker® All rights reserved. 1 WHITE PAPER: THE TRUE IMPLICATIONS OF THE SONY HACK INTRODUCTION It was Monday morning November 24, 2014, a seasonably warm day in Southern California. Thanksgiving was three days away, meaning Hollywood would soon shut down until the new year. It would soon be a time for family and friends and year-end celebration. The once-General Counsel of Sony and recently-named President of Sony Group Entertainment, Nicole Seligman, arrived at work ready to take on the day. But within moments of entering her office, Nicole began to realize that this day would live on in infamy.

Hackers, suspected to be of North Korean origin, accessed the computer network of one of Hollywood’s — and the world’s — largest and “OBVIOUSLY THE SONY HACK WAS A WAKE- most powerful studios. The attack was thought UP CALL FOR ANYONE IN MY INDUSTRY, to be pre-emptive revenge for the Sony Christmas release of The Interview, in which the bumbling AND I WOULD THINK FOR ANYONE IN ANY duo of Seth Rogan and James Franco were INDUSTRY” tasked by the CIA to assassinate North Korean despot Kim Jong-un. North Korean media — KEVIN SPACEY, ACTOR AND FILM STUDIO BOSS denounced it as an act of terror and war. Jong- - JANUARY 2016 un promised “a merciless response.” But it would soon be learned that a shadowy group called the Guardians of Peace had posted 40GB of Sony’s private and proprietary data on the anonymous website, Pastebin. The data revealed significant pay differences among the lead actors, sensitive details of Sony budgets and lay-off strategies, 3,888 personal and private social security numbers, salaries of 17 of its most highly paid executives, high- quality videos of unreleased upcoming films, the desiderata of Sony’s global brand strategy.

This could happen to you and your company. And if it did, you and your company would be the “victim”, just like Sony, but that would pale against the dark, harsh truth: your company would also be branded a “violator”. A violator for failing to properly secure highly-valuable company assets, deeply personal private information, and enormously-revealing proprietary secrets. And as violator, your company would be exposed to massive potential liability by federal and state regulators, shareholders, investors, class action law firms, employees, clients and third parties. The Sony attack, combined with lessons from FTC v. Wyndham, 50+ FTC consent decrees, the ominous horizon of Shore v. Johnson & Bell’s legal malpractice concerns, ABA and state-imposed attorney ethics rules, and more… The time for OGC to bolster cybersecurity on all levels is now. SONY EMPLOYEE HACKING CLASS ACTION Before Christmas of 2014, two former employees who hadn’t worked at Sony in years filed class action lawsuits against Sony in California federal district court. Generally, the lawsuits claimed Sony Pictures violated its legal duty protect the personal information of current and former employees. That information included their names, Social Security numbers, former addresses, and other private information. “Security weaknesses in Sony’s Network” were blamed, and of course the company’s outside litigation counsel pushed back hard, vigorously opposing class certification by arguing anyone in the class would be hard-pressed to prove any damages were specifically caused by the Sony hack.

By January 2016, five more class action lawsuits followed, with the beleaguered studio not opposing the motion to consolidate them into one — the motion stating: “Plaintiffs in each of the cases generally allege that SPE [Sony Pictures Entertainment] failed to maintain adequate security policies and practices to protect Plaintiffs’ information.” In a memo to employees, new CEO Michael Lynton, who had replaced Amy Pascal, who resigned soon after the hack, tried to rally his troops from the cloud of doom that had permeated the company: “Over the past six weeks I have seen incredible tenacity, resilience and grit. That inspires me, and gives me confidence that we will not only recover, but thrive because of what we’ve been through.” Hundreds of thousands of dollars and thousands of man-hours hours of disruption later, by the end of 2015 the matter settled, paying out a speculated $4.5 million to current and former employees and $3.5 million to attorneys.

Unfortunately for Sony and every company that’s hacked, the employee class action is just the tip of the iceberg. And for OGC, the challenge is to prevent the tip of the iceberg from birthing a glacier of further liability, asset damage, and below-the-surface brand erosion. THE GLACIER OF LIABILITY In the wake of the Sony hack, Melissa Maleski wrote for Law 360, a Lexis Nexis company: “It’s not a question of if you’ll be hit with a data breach attempt, but when. And if it’s successful, the fallout litigation is just as inevitable.” Here are six different potential lawsuits that every General Counsel should expect to see across his or her desk in the months following a publicized cyber-security breach:

1. An Employee Lawsuit, or slew of them, brought by past and present employees, either as class action lawsuits, individual lawsuits, or most typically both. For example, in 2014, a Coca-Cola employee filed a putative class lawsuit claiming the company was negligent in its failure to secure employee information and promptly notify employees of the theft of 55 company laptops containing the employee’s personal information1. While the judge tossed many of the claims, he allowed claims for breach of contract and restitution to remain2. This case prompted Katten senior counsel to observe that the unjust enrichment claims in particular were “a really novel theory predicated in a company’s failure to provide adequate resources to the protection of personal nonpublic information.” But note: these are exactly the claims made in the legal malpractice action described in the Windtalker Case Study, Shore vs. Johnson & Bell: The Catastrophic Potential of Cyber Security Lapses at Professional Services Firms.

2. The inevitable Consumer Lawsuits, however, are also soon to follow as the most ubiquitous in this realm of risk exposure. Though companies demand proof of actual harm traced to the specific hack or breach in question, “a high bar to meet” observes K Royal, assistant general counsel and privacy officer at CellTrust Corp, plaintiff’s counsel are becoming ever more creative. For example, a federal judge held that consumer plaintiffs had standing to sue Target Corp. following its 2013 credit and debit card data breach. The company quickly settled the case, agreeing to pay up to $10 million to consumers who could document any losses they’d suffered. And then there was the Neiman Marcus Group breach, from which consumer credit card information was stolen. Initially dismissed, the Seventh Circuit reinstated the case on appeal, making it much easier for consumers to sue for data breaches, finding the plaintiffs “have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information?”3 Commenting on Neiman Marcus, AGC Royal said: “This is a

1 Shane K. Enslin v. The Coca-Cola Company et al. 2 Greenwald, Judy, Court rules for Coca-Cola identity theft victim on stolen laptops, Business Insurance Website, http://www.businessinsurance.com/ article/20151013/NEWS06/151019945/pennsylvania-federal-court-rules-for-coca-cola-identity-theft-victim. 3 Remijas v. Neiman Marcus Group (2015), USDC, N Dt Ill, No. 14 C 1735, http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path= Y2015/D07-20/C:14-3122:J:Wood:aut:T:fnOp:N:1590360:S:0

wonderfully illustrative case, because it was a 2013 breach that just received the decision in July of this year to proceed, demonstrating how long it can take for these cases to work through the system.”

3. The newest litigants to the lawsuit trough are Financial Institutions. After Target suffered its highly- publicized data breach, which spawned dozens of lawsuits nationwide, the card-issuing financial institutions took aim at Target as well, filing suit in the U.S. District Court of Illinois. Ultimately it became the first-ever settlement of a breach-related lawsuit reached on behalf of financial institutions. Unquestionably, it will lead more banks to turn directly to retailers to recoup their losses after a breach, rather than working through post-breach recovery programs established by the payment card companies themselves. In the Target case, the settlement of $39 million will ultimately garner the banks more money than the Visa and MasterCard programs would have. “The card-issuing banks usually didn’t have any direct relationship to the retailer, so it was difficult for them to sue, and most of the time in the past, they haven’t done so,” said deputy practice leader form the Sutherland Asbill & Brennan privacy and cybersecurity team. “But I suppose Target involved enough money for them that it made it worthwhile to give it a shot.”

4. After the negative publicity of the foregoing hits the fan, Shareholder Lawsuits often follow, depending of course on a confluence of factors that may impact stock value. The initial appeal to shareholder plaintiff’s counsel is that the company is socked with massive costs and litigation fees generated directly and specifically because the company, arguably, failed to protect sensitive data, communications, email and information in a universe where cyber-thefts are frequent and to be expected. These suits often specifically name directors and officers of the company and also allege mishandling of the litigation and fallout of the publicized breach.4 For example, after the Target breach, the company’s shareholders filed a derivative lawsuit against 13 of its officers and directors, claiming breach of fiduciary duties and waste of corporate assets. Though we’re only speculating, we’re sure that General Counsel expected some if not all of these individuals to walk into his or her office for a chat. Fortunately, not all such lawsuits are successful, as indicated by the dismissals in both the Wyndham derivative action arising from the FTC consent decree, and the Home Depot derivative action arising from hackers gaining access to 56 million customer credit card numbers.

5. With employees, consumers and financial institutions all circling, federal and stateGovernment Regulators cannot help but smell the blood. We know from the stern lessons of FTC v. Wynham that the unaddressed compromise of private consumer data and information may bring down a walloping consent decree that extends decades into the future. (See our earlier White Paper: FTC v. Wyndham: Exposing Companies to Decades of Government Oversight.) But the FTC is just one agency that manages confidential private information. If health information is compromised, you can expect the US Department of Health and Human Resources to come sniffing. For example, in 2013, Wellpoint Inc. had to shell out $1.7 million for alleged HIPPA violations related to a three plus year old breach where it was accused of inadequate technical and administrative protections.5 And these, the FTC6 and HHS, are just two. The SEC7, Consumer Financial Protection Bureau, and the U.S. Department of Defense — all have cybersecurity enforcement jurisdiction over their respective turfs. In addition, 47 states now have cybersecurity breach laws, with California and Connecticut leading the way by encouraging their attorney generals to crack down on

4 The Breach-Related Derivative Suit Trend Continues, https://www.law360.com/articles/702523?scroll=1 5 HHS Official website: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/wellpoint/index.html 6 Recently the FTC fined Cox Communications for lack cybersecurity after the so-called “lizard squad hack.” http://www.bankinfosecurity.com/fcc- fines-cox-over-lizard-squad-hack-a-8668 7 The SEC fined R.T. Jones Capital Equities Management Inc. for allegedly failing to adhere to a safeguards rule in the securities laws.https://www. sec.gov/litigation/admin/2015/ia-4204.pdf. [The SEC said the investment adviser did not adopt written policies and procedures ahead of its breach that compromised the information of 100,000 individuals.] 8

companies that shirk their cyber-security duties. Clearly, adopting and complying with effective security protocols is the best way to avoid law enforcement action. And of course, it is. It’s “a perilous course” for a company or its employees to cover up a data breach, Callaway says: “That’s where a company can draw the attention of federal regulators.”

6. The immediate reaction, domino effect and/or trickle down of all of the foregoing is the company’s Insurance Claim and oft-resulting Insurance Litigation. For example, most companies which manage personal and financial information have already had a long sit-down with their brokers and invested in some form of cyberbreach insurance. But insurance policies are made very tricky, as we all know, by a myriad of highly-technical definitions and exclusions whose terminology rarely interfaces squarely with the real world, much less the alternative reality of cybersecruity, zero days, ransomware, malware, viruses, phishing, worms, and Trojan Horses.

“There will certainly be litigation over what cybersecurity insurance really covers,” says Claudia Callaway, chair of the consumer finance litigation practice at Katten Muchin Rosenman LLP. “Providers will say, ‘This is where the breach came from, and the policy doesn’t cover this exclusion.’ Companies need to be savvy when they buy these insurance products.” For example, Sony went to the mat with Zurich and Mitsui Sumitomo over coverage for the infamous 2011 Playstation Network breach, with a New York judge severely circumscribing coverage by finding that third-party hacks did not trigger the clause covering “publication” of private information. Unfortunately for the rest of us the case settled before the en banc appellate panel would rule on the case, denying OGC, observers, and interested third parties the benefit of clarity going forward. WHAT OGC CAN DO (THAT MANY DON’T) Writing for General Counsel online, legal500.com, Cybersecurity for In-House Counsel, Catherine Wycherley said: “A cyber attacker could be anyone. A disgruntled employee with access to data, a ‘hacktivist’ with a social or political axe to grind, an organized criminal seeking profit, or a nation state with a cyber army primed for sophisticated cyberespionage missions. They could be anywhere, silently gathering data before slipping out undetected, or hiding in a gap in the supply chain, waiting to shut down the organization’s service. Terminology such as ‘phishing’, ‘social engineering’ and ‘advanced persistent threat’ has invaded the lexicon of the modern corporation.”9

Cybersecurity concerns are thus the new normal, and the unmistakable trend is toward cyber-security responsibility and accountability for everyone, companies, OGC, and outside law firms alike. It is ironic that law firms seem to be the last to embrace these responsibilities vigorously. Indeed, since lawyers have heightened, fiduciary responsibilities to their clients, over and above the duties owed of ordinary businesses to their customers, you would think they would be leaders, across the board, including OGC. But they are not. Maybe you are not. But here’s what you can do, taking lessons from the Consent Decree issued adopted in FTC v. Wyndham:

You must overcome the mindset that lawyers just practice law and whatever you and your company have in place has always worked well enough. You must recognize that the threat of cyber-insecurity is constantly advancing, and the measures you must take must meet your fiduciary duty to your client to protect its, his or her confidential, private and proprietary data, information and communications, as well as understand your company’s relationship to its customers, lenders, shareholders, third parties and insurers. Not just the structured stuff (databases and application repositories), but the stuff in motion, the unstructured stuff (like documents, emails, PDFs and spreadsheets). And while it may appear to be an arms race in enhancements and updates to cybersecurity systems, policies and systems must be

9 Wycherley, Catherine, General Counsel online, legal500.com, Cybersecurity for In-House Counsel, http://www.legal500.com/assets/pages/gc/ winter-2015/cybersecurity-keeping-out-of-the-breach#sthash.GU7c2XPs.dpbs. And see more at: http://www.legal500.com/assets/pages/gc/ winter-2015/cybersecurity-keeping-out-of-the-breach#sthash.GU7c2XPs.dpuf

© Copyright 2017 WindTalker® All rights reserved. 5 WHITE PAPER: THE TRUE IMPLICATIONS OF THE SONY HACK vigilantly supported and maintained. The threat persists 24 hours a day, seven days a week, 365 days a year. And what may be most important is that what is reasonable to you, may not be reasonable to your clients, federal and state regulators, business partners, and ethical oversight groups. The ultimate challenge, therefore, is staying ahead of the game wherever and whenever possible, by routinely auditing and reviewing your information security program, identifying vulnerabilities, establishing a cyber security program budget with contingency funds, and routinely exploring new cyber-security methods and technology. WHAT DOES THIS MEAN TO YOU No matter what kind of sensitive information is involved, OGC like all other lawyers and law firms have an ongoing affirmative legal, fiduciary and ethical obligation to develop and implement for themselves and their companies the latest cyber-security technologies; the latest methods and protocols for protection, education and training; and the most effective means for responding to, correcting, and remedying any prior security breaches. Put another way, it is time for every OGC to review and consider cybersecurity reform, making cybersecurity a way of life for its staff and all of the company’s employees and third-party contractors, to ensure reasonable data and information security. Anything less exposes OGC and their companies to the serious implications of a Sony-style hack. ABOUT WINDTALKER As cyber-attacks are increasingly sophisticated and a persistent threat to every individual, business, and organization, the typical industry response is to lock information assets down with more restrictive governance policies and security controls. However, when information assets are restricted, the effectiveness and efficiency of a business is significantly impacted. With information being the life blood of an organization, it needs to flow to customers, employees, and business partners. This challenging misalignment of security controls to business process leaves us with either too much or too little security, or the classic business vs. risk decision. The industry lacks a solution that addresses the real problem: protection of the content, “the data” no matter where it travels… Until Now!

WindTalker is a content security platform that allows for the protected movement and sharing of information which integrates with existing popular software. We simply apply encryption to specific portions of sensitive content within unstructured data formats such as documents, emails, text, and images. WindTalker protects these elements of sensitive data, such as personally identifiable information, company secrets, or client-attorney privileged information, while still allowing the movement and sharing of information without major interruption to the way you do business. Using a simple “Click — Protect — Share” philosophy, WindTalker leverages the user’s knowledge and skills to enhance the security of the organization. WindTalker provides true control over “Need to Know”.