Cyber Wars and the Legal Lessons from the Sony Hack (Op-Ed)

Steven Rubin and A. Jonathan Trafimow are partners at Moritt Hock & Hamroff LLP. Rubin chairs the firm's Patent Practice Group and co-chairs its Cybersecurity Practice Group. Trafimow chairs the firm's Employment Practice Group and co-chairs its Cybersecurity Practice Group. They contributed this article to Live Science's Expert Voices: Op-Ed & Insights. 

Target. Home Depot. Staples. Marriot. Sony. Who's next? As new developments surrounding the cyber-attacks on Sony Pictures Entertainment, Inc. dominate the news, it's premature to draw conclusions about how Sony was hacked, who was responsible, and whether Sony's security measures were appropriate — but the legal implications are already growing clear. 

On December 15, 2014, lawyers filed a class action complaint against Sony in federal court in California. The complaint puts companies on notice as to the types of claims that they might face if their systems are hacked, and steps they can take now to protect themselves.

Filing suit

Paragraph 2 of the complaint gets right to it:

At its core, the story of "what went wrong" at Sony boils down to two inexcusable problems: (1) Sony failed to secure its computer systems, servers, and databases ("Network"), despite weaknesses it has known about for years, because Sony made a "business decision to accept the risk" of losses associated with being hacked; and (2) Sony subsequently failed to timely protect confidential information of its current and former employees from law-breaking hackers who (a) found these security weaknesses, (b) obtained confidential information of Sony's current and former employees stored on Sony's Network, (c) warned Sony that it would publicly disseminate this information, and (d) repeatedly followed through by publicly disseminating portions of the information that they claim to have obtained from Sony's Network through multiple dumps of internal data from Sony's network.

The allegation that Sony made "a business decision to accept the risk" could be levied against virtually every business in the United States that has not undergone a thorough, systemic review of its network.  

As cyber attacks become the new normal, some businesses will become vulnerable to the accusation that they made a "business decision" to accept the risks of being hacked, rather than investing in enhanced protections. 

Possible legal claims are too numerous to catalogue here, but could include: negligence; violation of medical privacy laws; violations of regulatory rules, if applicable; and failure to comply with post-breach laws (such as those that require notifying affected employees and/or customers who have had personal identifying information disseminated). More importantly, business face the risks of losing customers and having their reputations tarnished. 

Preparing for the worst

So what can businesses do to protect themselves and consumers?

Prior to the breach, companies should develop a written information security plan (WISP) and create a network of relationships with experts to contact in the event of a suspected breach. Legal counsel is an integral part of that team, in large part because of the potential to protect information from plaintiffs, with the attorney client privilege. Companies will also want to determine their insurance needs. Cybersecurity policies vary, and companies need to determine what coverage is best for them. [Internet 'Key Holders' Are Insurance Against Cyber Attack]

Whether written or electronic, the WISP should show that the company has: 1) identified cyber vulnerabilities; 2) protected those vulnerabilities; 3) developed a plan to detect and respond to anomalies; and 4) has procedures in place to respond and recover from data security problems.

The company also needs to identify pertinent legal and regulatory requirements, vulnerable assets, potential threats, and an acceptable risk tolerance. Key company personnel must also be identified and trained.

Internal employees and external vendors need to undergo awareness and training procedures, and importantly, the company must identify a baseline configuration of the information technology infrastructure For example, they need to know the various ways their networks can be accessed and patterns that are "typical" or "normal." 

With the infrastructure well understood, the company needs to have procedures in place to detect anomalies — including employees exhibiting unusual behavior and irregularities in the network. When anomalies are detected, the company is then in a position to respond. 

The response should include coordination with a cybersecurity response team that draws upon expertise from lawyers, IT professionals and a cybersecurity insurance carrier. Business partners need to be notified. Forensics may be necessary to identify all threats, and any anomalies must be eradicated. 

After response, a company can recover by contacting service providers, restoring operations and addressing public relations. Only then can the company begin to restore its systems and reputation.

The benefits of the WISP are manifold. It can potentially reduce a premium for a cybersecurity insurance policy. The WISP forces the company to review their cybersecurity and inevitably make improvements. The WISP may potentially limit legal liability by showing that the company took reasonable steps to protect its data. As a side benefit, the WISP becomes a marketing document to distinguish a company from its competitors — leading consumers to select one company over another before making purchasing decisions. 

Follow all of the Expert Voices issues and debates — and become part of the discussion — on Facebook, Twitter and Google+. The views expressed are those of the author and do not necessarily reflect the views of the publisher. This version of the article was originally published on Live Science.