The Sony Data Breach: 3 Painful Lessons

Daniel Solove
Founder of TeachPrivacy

 

sony blog 1

by Daniel J. Solove

The Sony data breach is an exclamation mark on a year that is already known as the” Year of the Data Breach.” This data breach is the kind that makes even the least squeamish avert their eyes and wince. There are at least three things that this breach can teach us:

1. Data breaches cause harm.

For a long time, there has been doubt and equivocation about whether data breaches are really harmful. Often, reaction to a data breach is just a shrug. Happens all the time, people think. But we’re all still standing.

The Sony breach demonstrates starkly that there really can be blood and gore with a data breach. A wrecked computer network; tons of confidential information revealed; a company’s reputation in tatters; a major movie launch cancelled; executives’ private and embarrassing communications exposed . . .

And then there are the private emails of 6500 Sony employees. Brian Barrett of Gizmodo captures the sensitivity of what has been exposed: “The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins. It’s literally thousands of Social Security numbers laid bare. It’s even the harmless, mundane, trivial stuff that makes up any day’s email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.”

This data breach is visibly painful. The damage is catastrophic.

2. All of our personal data is at significant risk.

At home or at work, your personal data is at risk. Whether in the cloud, or on your computer, or in an email, your data is at risk. The Internet wasn’t built for security; it is a very risky zone, like wandering a minefield.

The early days of train travel were treacherous, and so are these early days of the Internet. We often do not appreciate the magnitude of the risks.

With some good security practices, such as having good passwords, using encryption, being aware of how to spot phishing techniques, we can gain some protection. But there will still be substantial risks. For individuals, these risks will multiply as they make more use of the Internet. For organizations, these risks will multiply as their workforces multiply.

The risk will always be high. It can be mitigated, but it cannot yet be eliminated. Everyone must know that the risks are substantial and never let themselves get complacent or comfortable.

Email is tremendously risky. We increasingly rely on it for our daily communication, and I don’t see people going back to phone calls and in person meetings. But email’s convenience comes at a great cost — it creates a record that is vulnerable to hacking as well as accidental leaking as well as discovery in legal proceedings. Email may be a big step forward in some ways, but it is a big step backwards for privacy and security.

3. The C-Suite should pour massive resources into privacy and data security.

Perhaps no other breach will demonstrate more to the C-Suite the importance of privacy and security than the Sony data breach. Very sensitive information was revealed having a great impact on executives, such as salary information and other personal data. Executive emails were leaked. According to the LA Times, “Emails included in the data revealed nasty exchanges between executives and producers, including swipes at actors including Kevin Hart and Angelina Jolie.”

This breach doesn’t just affect executives in the wallet, and the damage can’t be cured by a cybersecurity insurance payout. In many cases, the damage to executives is personal. It’s not just other people’s data — it’s their own.

I believe that this breach, plus all the other data security incidents this year, send a very loud message that the risks are significant and of serious magnitude. And it’s not just data security, as the Uber privacy incidents have been quite damaging too.

Now is the time for the C-Suite to give their privacy and security officials a big hug, a big raise. and a big staff.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 880,000 followers.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security