Eating up the data breach airways for the past month has been the hacking of Sony Pictures. As with any breach in the news, the Internet is full of articles criticizing Sony and its approach to not only the security issues but the messaging. That is not the purpose of this blog. Rather, I subscribe that all entities will be breached, and it is not a matter of "IF" but "WHEN." I would prefer to use the incident as an opportunity to discuss just a few key information privacy and security principles that I think have been illustrated by this breach. I would think any business, regardless of size or industry, would do well to consider each as an opportunity to learn more and continue to improve its data governance planning.
It is not evident whether the recent breach could have been addressed by any such program implemented to address the 2011 issues. Furthermore, I think it is worth sharing here that I worked in the corporate space for years before becoming an attorney. I am not suggesting in any way that implementing change happens quickly in any large corporate enterprise. For example, could Sony have encrypted all passwords between April 2011 and May 2011? Perhaps. Perhaps not. A large ship does not turn on a dime. I get that.
However, any company in such a position should use such opportunities to understand and correct information security deficiencies. More importantly, it is critical to understand that the security process never ends. Rather, good information security practice continues to evolve to meet emerging threats. Such an approach may not stop every threat, but it can prevent a great deal of them and mitigate the harm from other threats. Do you think such a best practice is nice, but not necessary? Think again, as regulators from agencies such as the FTC and Office of Civil Rights have made it clear they expect to see documented evidence of a company's "lesson learned" from breaches or from its own audits. Indeed, as one regulator told me, the worst thing to do is have an audit that identifies a known risk or vulnerability and then do nothing to mitigate or fix it. Thus, paying attention and taking action will not only prevent attacks and mitigate harm, it can lessen the likelihood of steep enforcement actions or successful litigation resulting from future breaches.
Thus, in addition to looking at actual vehicles for hacks, to include new malware and other reported threats, companies also need to ponder who would attack them and why. To properly plan ahead and implement a reasonable security program, a company needs to look outside itself and consider the long view. Who would be motivated to attack the company? Where are these people located? Are there authorities or resources that can assist in planning countermeasures for such attacks? Are there internal resources, employees, or employee practices that could enable such a hacker? Or do those risks lie with a company's third-party service providers, such as an HVAC company as we saw in the Target breach last year? The "who" here is very important because the attack vehicle will change, based on the success or failure of the attack. Understanding the "who" behind the attack might help a company to anticipate, if possible, the next attacks and plan for ways to stop them. I completely understand many companies with limited resources are just trying to keep the castle walls up and the moat dug. However, as part of a larger data governance plan, a company is well served to look beyond those walls to see what enemy forces might be amassing and why. Doing so will drive a better analysis and preparation for the attacks themselves.
Not surprisingly, considering prior breaches and hacks, Sony was allegedly still working through discussions on retaining e-mails beyond their useful or compliance-driven life. A recent blog in the (December 12, 2014) shared some insight on this very issue at Sony:
"In the year heading up to the hack, company lawyers discussed document retention policies — a subject that is certainly common inside legal departments in corporate America, but one that suddenly looks sadly ironic given what's transpired. According to, in a message titled "email purge," Weil argued with a colleague about whether the company should take a more cautious approach to retaining emails. "While undoubtedly there will be emails that need to be retained and or stored electronically in a system other than email, many can be deleted and I am informed by our IT colleagues that our current use of the email system for virtually everything is not the best way to do this," she wrote."
Such a discussion is indeed ironic considering Sony's breach, but it is hardly unique to Sony. Companies struggle with retention schedules all the time. In the face of cheaper storage space and more powerful computing, companies are often loathe to get rid of anything just in case something comes up, such as a new marketing opportunity. "Just in case" is not a data retention policy and presents as many legal obligations and risks as it does for security. The discussion can be difficult, heated, and unwanted as everyone is focused on their "real" jobs. But ignoring the discussion altogether is an invitation for disaster.
Again, it is always easy to pick on the latest victim of a cyber attack and hindsight is always 20/20. I prefer to use such moments as learning opportunities and focus on maybe the less obvious security and data governance principles at play. Taking a little time, making a plan and executing the plan can make a world of difference.