For the Office of General Counsel, It's A
Total Page:16
File Type:pdf, Size:1020Kb
WHITE PAPER: THE TRUE IMPLICATIONS OF THE SONY HACK White Paper FOR THE OFFICE OF GENERAL COUNSEL, IT’S A SCARY CYBER- WORLD OUT THERE CASE-IN-POINT: THE TRUE IMPLICATIONS OF THE SONY HACK © Copyright 2017 WindTalker® All rights reserved. 1 WHITE PAPER: THE TRUE IMPLICATIONS OF THE SONY HACK INTRODUCTION It was Monday morning November 24, 2014, a seasonably warm day in Southern California. Thanksgiving was three days away, meaning Hollywood would soon shut down until the new year. It would soon be a time for family and friends and year-end celebration. The once-General Counsel of Sony and recently-named President of Sony Group Entertainment, Nicole Seligman, arrived at work ready to take on the day. But within moments of entering her office, Nicole began to realize that this day would live on in infamy. Hackers, suspected to be of North Korean origin, accessed the computer network of one of Hollywood’s — and the world’s — largest and “OBVIOUSLY THE SONY HACK WAS A WAKE- most powerful studios. The attack was thought UP CALL FOR ANYONE IN MY INDUSTRY, to be pre-emptive revenge for the Sony Christmas release of The Interview, in which the bumbling AND I WOULD THINK FOR ANYONE IN ANY duo of Seth Rogan and James Franco were INDUSTRY” tasked by the CIA to assassinate North Korean despot Kim Jong-un. North Korean media — KEVIN SPACEY, ACTOR AND FILM STUDIO BOSS denounced it as an act of terror and war. Jong- - JANUARY 2016 un promised “a merciless response.” But it would soon be learned that a shadowy group called the Guardians of Peace had posted 40GB of Sony’s private and proprietary data on the anonymous website, Pastebin. The data revealed significant pay differences among the lead actors, sensitive details of Sony budgets and lay-off strategies, 3,888 personal and private social security numbers, salaries of 17 of its most highly paid executives, high- quality videos of unreleased upcoming films, the desiderata of Sony’s global brand strategy. This could happen to you and your company. And if it did, you and your company would be the “victim”, just like Sony, but that would pale against the dark, harsh truth: your company would also be branded a “violator”. A violator for failing to properly secure highly-valuable company assets, deeply personal private information, and enormously-revealing proprietary secrets. And as violator, your company would be exposed to massive potential liability by federal and state regulators, shareholders, investors, class action law firms, employees, clients and third parties. The Sony attack, combined with lessons from FTC v. Wyndham, 50+ FTC consent decrees, the ominous horizon of Shore v. Johnson & Bell’s legal malpractice concerns, ABA and state-imposed attorney ethics rules, and more… The time for OGC to bolster cybersecurity on all levels is now. SONY EMPLOYEE HACKING CLASS ACTION Before Christmas of 2014, two former employees who hadn’t worked at Sony in years filed class action lawsuits against Sony in California federal district court. Generally, the lawsuits claimed Sony Pictures violated its legal duty protect the personal information of current and former employees. That information included their names, Social Security numbers, former addresses, and other private information. “Security weaknesses in Sony’s Network” were blamed, and of course the company’s outside litigation counsel pushed back hard, vigorously opposing class certification by arguing anyone in the class would be hard-pressed to prove any damages were specifically caused by the Sony hack. © Copyright 2017 WindTalker® All rights reserved. 2 WHITE PAPER: THE TRUE IMPLICATIONS OF THE SONY HACK By January 2016, five more class action lawsuits followed, with the beleaguered studio not opposing the motion to consolidate them into one — the motion stating: “Plaintiffs in each of the cases generally allege that SPE [Sony Pictures Entertainment] failed to maintain adequate security policies and practices to protect Plaintiffs’ information.” In a memo to employees, new CEO Michael Lynton, who had replaced Amy Pascal, who resigned soon after the hack, tried to rally his troops from the cloud of doom that had permeated the company: “Over the past six weeks I have seen incredible tenacity, resilience and grit. That inspires me, and gives me confidence that we will not only recover, but thrive because of what we’ve been through.” Hundreds of thousands of dollars and thousands of man-hours hours of disruption later, by the end of 2015 the matter settled, paying out a speculated $4.5 million to current and former employees and $3.5 million to attorneys. Unfortunately for Sony and every company that’s hacked, the employee class action is just the tip of the iceberg. And for OGC, the challenge is to prevent the tip of the iceberg from birthing a glacier of further liability, asset damage, and below-the-surface brand erosion. THE GLACIER OF LIABILITY In the wake of the Sony hack, Melissa Maleski wrote for Law 360, a Lexis Nexis company: “It’s not a question of if you’ll be hit with a data breach attempt, but when. And if it’s successful, the fallout litigation is just as inevitable.” Here are six different potential lawsuits that every General Counsel should expect to see across his or her desk in the months following a publicized cyber-security breach: 1. An Employee Lawsuit, or slew of them, brought by past and present employees, either as class action lawsuits, individual lawsuits, or most typically both. For example, in 2014, a Coca-Cola employee filed a putative class lawsuit claiming the company was negligent in its failure to secure employee information and promptly notify employees of the theft of 55 company laptops containing the employee’s personal information1. While the judge tossed many of the claims, he allowed claims for breach of contract and restitution to remain2. This case prompted Katten senior counsel to observe that the unjust enrichment claims in particular were “a really novel theory predicated in a company’s failure to provide adequate resources to the protection of personal nonpublic information.” But note: these are exactly the claims made in the legal malpractice action described in the Windtalker Case Study, Shore vs. Johnson & Bell: The Catastrophic Potential of Cyber Security Lapses at Professional Services Firms. 2. The inevitable Consumer Lawsuits, however, are also soon to follow as the most ubiquitous in this realm of risk exposure. Though companies demand proof of actual harm traced to the specific hack or breach in question, “a high bar to meet” observes K Royal, assistant general counsel and privacy officer at CellTrust Corp, plaintiff’s counsel are becoming ever more creative. For example, a federal judge held that consumer plaintiffs had standing to sue Target Corp. following its 2013 credit and debit card data breach. The company quickly settled the case, agreeing to pay up to $10 million to consumers who could document any losses they’d suffered. And then there was the Neiman Marcus Group breach, from which consumer credit card information was stolen. Initially dismissed, the Seventh Circuit reinstated the case on appeal, making it much easier for consumers to sue for data breaches, finding the plaintiffs “have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information?”3 Commenting on Neiman Marcus, AGC Royal said: “This is a 1 Shane K. Enslin v. The Coca-Cola Company et al. 2 Greenwald, Judy, Court rules for Coca-Cola identity theft victim on stolen laptops, Business Insurance Website, http://www.businessinsurance.com/ article/20151013/NEWS06/151019945/pennsylvania-federal-court-rules-for-coca-cola-identity-theft-victim. 3 Remijas v. Neiman Marcus Group (2015), USDC, N Dt Ill, No. 14 C 1735, http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path= Y2015/D07-20/C:14-3122:J:Wood:aut:T:fnOp:N:1590360:S:0 © Copyright 2017 WindTalker® All rights reserved. 3 WHITE PAPER: THE TRUE IMPLICATIONS OF THE SONY HACK wonderfully illustrative case, because it was a 2013 breach that just received the decision in July of this year to proceed, demonstrating how long it can take for these cases to work through the system.” 3. The newest litigants to the lawsuit trough are Financial Institutions. After Target suffered its highly- publicized data breach, which spawned dozens of lawsuits nationwide, the card-issuing financial institutions took aim at Target as well, filing suit in the U.S. District Court of Illinois. Ultimately it became the first-ever settlement of a breach-related lawsuit reached on behalf of financial institutions. Unquestionably, it will lead more banks to turn directly to retailers to recoup their losses after a breach, rather than working through post-breach recovery programs established by the payment card companies themselves. In the Target case, the settlement of $39 million will ultimately garner the banks more money than the Visa and MasterCard programs would have. “The card-issuing banks usually didn’t have any direct relationship to the retailer, so it was difficult for them to sue, and most of the time in the past, they haven’t done so,” said deputy practice leader form the Sutherland Asbill & Brennan privacy and cybersecurity team. “But I suppose Target involved enough money for them that it made it worthwhile to give it a shot.” 4. After the negative publicity of the foregoing hits the fan, Shareholder Lawsuits often follow, depending of course on a confluence of factors that may impact stock value. The initial appeal to shareholder plaintiff’s counsel is that the company is socked with massive costs and litigation fees generated directly and specifically because the company, arguably, failed to protect sensitive data, communications, email and information in a universe where cyber-thefts are frequent and to be expected.