The Sony Data Breach: 3 Painful Lessons
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
The Sony data breach is an exclamation mark on a year that is already known as the" Year of the Data Breach." This data breach is the kind that makes even the least squeamish avert their eyes and wince. There are at least three things that this breach can teach us:
1. Data breaches cause harm.
For a long time, there has been doubt and equivocation about whether data breaches are really harmful. Often, reaction to a data breach is just a shrug. Happens all the time, people think. But we're all still standing.
The Sony breach demonstrates starkly that there really can be blood and gore with a data breach. A wrecked computer network; tons of confidential information revealed; a company's reputation in tatters; a major movie launch cancelled; executives' private and embarrassing communications exposed . . .
And then there are the private emails of 6500 Sony employees. Brian Barrett of Gizmodo captures the sensitivity of what has been exposed: "The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins. It’s literally thousands of Social Security numbers laid bare. It’s even the harmless, mundane, trivial stuff that makes up any day’s email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack."
This data breach is visibly painful. The damage is catastrophic.
2. All of our personal data is at significant risk.
At home or at work, your personal data is at risk. Whether in the cloud, or on your computer, or in an email, your data is at risk. The Internet wasn't built for security; it is a very risky zone, like wandering a minefield.
The early days of train travel were treacherous, and so are these early days of the Internet. We often do not appreciate the magnitude of the risks.
With some good security practices, such as having good passwords, using encryption, being aware of how to spot phishing techniques, we can gain some protection. But there will still be substantial risks. For individuals, these risks will multiply as they make more use of the Internet. For organizations, these risks will multiply as their workforces multiply.
The risk will always be high. It can be mitigated, but it cannot yet be eliminated. Everyone must know that the risks are substantial and never let themselves get complacent or comfortable.
Email is tremendously risky. We increasingly rely on it for our daily communication, and I don't see people going back to phone calls and in person meetings. But email's convenience comes at a great cost -- it creates a record that is vulnerable to hacking as well as accidental leaking as well as discovery in legal proceedings. Email may be a big step forward in some ways, but it is a big step backwards for privacy and security.
3. The C-Suite should pour massive resources into privacy and data security.
Perhaps no other breach will demonstrate more to the C-Suite the importance of privacy and security than the Sony data breach. Very sensitive information was revealed having a great impact on executives, such as salary information and other personal data. Executive emails were leaked. According to the LA Times, "Emails included in the data revealed nasty exchanges between executives and producers, including swipes at actors including Kevin Hart and Angelina Jolie."
This breach doesn't just affect executives in the wallet, and the damage can't be cured by a cybersecurity insurance payout. In many cases, the damage to executives is personal. It's not just other people's data -- it's their own.
I believe that this breach, plus all the other data security incidents this year, send a very loud message that the risks are significant and of serious magnitude. And it's not just data security, as the Uber privacy incidents have been quite damaging too.
Now is the time for the C-Suite to give their privacy and security officials a big hug, a big raise. and a big staff.
* * * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. He is a Reporter on the American Law Institute’s Restatement Third, Information Privacy Principles. He is the author of 9 books including Understanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.
The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.
Please join Professor Solove's LinkedIn group: Privacy and Data Security
Image Credit: Public Domain Pictures + DJS Mashup
Officially Retired CEO and President of C-Level Cyber Strategies LLC Certification Retired Consulting Organization Closed
10 å¹´A business that suffers a cyber event must go through a series of steps, not only to understand the impact but to assess the cause. This process painfully takes time, months, sometimes years depending on the size of the attack. As with any crime, nothing is more damaging to the cause of remediation than the speculation that surfaces in the media before the facts are known. I prefer not to judge Sony but to support Sony as no business deserves this. This is why I do what I do.
Counsel. Privacy, Data Protection & Compliance at Legal Army
10 å¹´Hi Daniel, I don't agree with some of your conclussions, however your article's worth a close look.
Kaumatua at Omanaia Marae
10 å¹´Some of this should be taken on board Internet security is important, The rest is sensationalism at it's worst, If people are silly enough to wash their "Dirty laundry", In public, So be it!