See the Online Exclusive, “Other Breaches.”
Data security experts have called it a corporate nightmare. Customers have called it irritating and irresponsible. However one describes it, the massive information hack that entertainment giant Sony experienced in mid-April is a serious problem with global implications.
On April 20, Sony unexpectedly took its popular gaming and music services PlayStation and Qriocity offline. After six days of customer and media confusion, the company announced via a blog post that the outage was due to the fact that hackers had compromised 77 million PlayStation and Qriocity user accounts. Then, on May 2, Sony revealed that nearly 25 million more accounts from its Sony Online Entertainment service also had been hacked, bringing the scope of the entire breach to a staggering 100 million accounts.
At press time, Sony was reportedly working with the FBI, Data Forte, Guidance Software and Protiviti to investigate the hack and repair its systems. Although Sony apologized to its customers, offering several freebies once it restored services, the company’s security weaknesses have spurred government concern about the safety of sensitive consumer information.
Additionally, Sony’s PR catastrophes—including publicly condemning the hacker group Anonymous, which claims it had no involvement in the breach; declining to participate in a Congressional subcommittee hearing, “The Threat of Data Theft to American Consumers”; and offering unclear deadlines on when systems would be up and running again—didn’t help to discourage litigation. By the end of May, Sony faced more than 25 lawsuits, including a class action, alleging negligence, breach of contract and consumer privacy violations.
Foley Hoag Partner Michael Dowd says data breaches are a growing corporate threat—even against tech-savvy companies such as Sony. “There certainly is no letup in the attacks on systems or the prevalence of viruses that can compromise businesses’ systems,” he says.
Experts say in-house counsel should examine the Sony attack, as well as the company’s response, as they reassess their corporate data security efforts and crisis plans.
According to the Privacy Rights Clearinghouse, a non-profit consumer education organization, businesses and governmental and educational entities have reported more than 2,500 data breaches involving nearly 600 million records since 2005. The Open Security Foundation, a non-profit organization that provides information about data security risks, says that organizations have reported 210 breaches so far this year. And according to the Federal Trade Commission (FTC), nearly 9 million Americans are victims of identity theft every year.
In building a defense against attacks, in-house counsel must understand how corporate data is received, stored and transmitted. The best way to do this is by conducting a comprehensive risk assessment with a team of internal IT experts.
“You must find out every step of the way where your data might be vulnerable, whether from internal employees having access to it when they don’t need to or if somebody else could break into it from the outside,” Dowd says.
Corporate IT teams should regularly update the company’s antivirus software, firmware and hardware, and use encryption, firewalls and event-monitoring software to detect unusual activity in real-time.
In light of the Sony breach, the FTC and many government representatives, such as Sen. Tom Carper, D-Del., and Rep. Mary Bono Mack, R-Calif., are pushing for legislation that would create security standards to safeguard private information. However, Congressional action has been slow.
“When Obama’s administration came in, they made a pledge that data responsibility and data security was going to be a top priority. Then we had a little problem with the economy, and that got sidelined,” says Fox Rothschild Partner Mark McCreary. But the efforts seem to be returning. On May 12, the White House proposed draft legislation for a national cyber security bill that would protect the country’s economy and infrastructure. “National legislation would absolutely streamline the response that goes into a breach,” McCreary says.
Congress may prioritize legislation if more large-scale hacks occur. “There have been some pretty high-profile breaches in the past six years that kicked off state actions, and I suspect as there are other incidents, we will come closer to a national standard,” says Margaret Utterback, a partner at Quarles & Brady.
The rules for reporting data breaches vary across the country. In sum, 46 states and Washington, D.C., have disclosure laws that require organizations those whose personal data was compromised as soon as reasonably possible. (Only Alabama, Kentucky, New Mexico and South Dakota currently do not have notification requirements.) Organizations must report breaches to affected individuals according to the disclosure laws of the state in which the individual resides, which can be complicated.
“If I have a data breach and I have information from people from 30 different states, there are 30 different laws I have to look at, and they conflict with each other,” McCreary says.
The majority of the state laws do not require organizations to report a breach if the exposed data was encrypted.
If the data was not encrypted, some state laws require organizations to report breaches if they know for certain that information was accessed, while others require reporting if it is merely possible that the data was accessed. It’s important to know which law applies. “I’ve seen a few cases where people start putting out notices only to find out later on that they were able to confirm that there was no data breach,” McCreary says.
Dowd says Sony’s initial vague public statement exemplifies why companies shouldn’t report a breach too early. “It can backfire from a public policy perspective to report things too soon,” he says. “Once you have a handle on the scope of the data that was compromised, it then behooves the company to respond as quickly and as accurately as it can to make those notifications.”
Utterback says that the timing of any reporting is tricky. “There is a competing tension between the need to be prompt and the need to provide comprehensive, meaningful information to those who were affected by the breach,” she says, adding that it’s also important for inside counsel to work with the company’s PR team to develop appropriate public statements. “[Good PR] helps customers feel more secure, and it also can assist with allaying governmental concerns about the reasonableness of the response. The goal is to protect consumers and do it in a way that builds the credibility and reputation of the company.”
The cost of a data breach is multifaceted and can be difficult to estimate. It depends on the extent of the breach and the type of information exposed. Many data security experts say companies pay $200 on average per record lost.
“For something like the Sony breach, the direct costs are things like repairing the infrastructure of your business, increased insurance costs, providing credit monitoring to consumers and dealing with any lawsuits that were filed,” Dowd says. Indirect costs include a harmed reputation and loss of future revenues, he notes.
But companies face additional costs if regulated information, such as health care data, was compromised. “There can be serious penalties levied by the government that can certainly be in the millions of dollars, and the settlement of those sometimes requires implementing compliance programs, which can cost many more millions of dollars to enforce going forward,” Dowd says.
Companies that fear an onslaught of litigation after a breach should remember that plaintiffs must be able to establish true damages in order to have a case.
“The overwhelming majority of decisions say there has to be clear and present harm as a result of the breach,” McCreary says. “In other words, you must prove that your identity was stolen, not that you just have a fear that it could be stolen in the future.”