Stacie D. Nyborg, Attorney

February 2015

Looking back at 2014, it is clear that one group was very successful: hackers.  Jennifer Lawrence was hacked, Sony was hacked, and even a private contractor that performs background checks for U.S. Homeland Security was hacked.  As a result of these data breaches, the world was given unfiltered access to private details and personally identifiable information of unsuspecting victims.  These data breaches did not just leak salacious photos or emails; they exposed employee social security numbers and salaries, private client lists and contact information, internal strategies and trade secrets, and other critical and sensitive data.

Unfortunately for Sony, they have become a case study for a corporation’s responsibility for data breaches.  In 2011, the first major Sony leak occurred when hackers breached the Sony PlayStation Network and exposed tens of millions of user names, addresses, passwords and credit card numbers.  Soon after, Sony was hit with dozens of class action lawsuits and had to convince the public and government agencies that their online networks were secure again.  Sony settled the class action lawsuits for $15 million this past July, paid a fine of $400,000 to the U.K. Information Commissioner’s Office, and also spent untold amounts of money in its efforts to win back clients and restore goodwill.   The estimates of Sony’s losses are as high as $2 billion.  Because this case was settled, no definitive legal ruling was reached as to the extent of a corporation’s duty to protect customers’ personal information.  What is clear, however, is that this duty is significant.

To add insult to injury, a New York trial court in Zurich American Insurance Co. v. Sony Corp. of America et al, held that Zurich, Sony’s commercial liability insurance carrier, did not have to defend or indemnify them.  Because the policy’s language only specifically covered acts committed or perpetrated by the policyholder, the Court held that Zurich did not have to cover publication of private information by third-party hackers.  Sony was forced to pay the costs of the litigation and settlements on their own.

Last November, Sony faced another privacy debacle when Sony Pictures Entertainment’s computer systems were breached.  This time, rather than leaking customer data, the data breach released personal information on about 47,000 current and former Sony employees.  This latest breach now raises a different question: what duty does a company owe its employees to protect their private information?  Several lawsuits have already been filed against Sony for their negligence and failure to adequately secure this data.  Only time will tell what the final outcome is.

What is the lesson from all of this?  Privacy is going to be a key issue going forward for all businesses.  As personal data and information becomes easily exchanged with increased reliance on electronic communications, transactions, and data storage, there is also a new heightened responsibility to ensure the security of this data.  While most retailers, insurers, and lenders are familiar with the requirements of the Gramm Leach Bliley Financial Privacy Act and the Consumer Financial Protection Bureau, non-consumer businesses should also consider taking efforts to protect customer data.  This increasing number of hacks will only ensure that more scrutiny will be placed on businesses’ security measures and that government and regulatory agencies will require more statutory and regulatory measures.  Businesses should therefore place a priority on ensuring that they are in compliance with these regulations and also take extra measures to ensure that the information they access on a daily basis, for customers and employees alike, is protected and secure.

Of course, each business’ needs will vary as a medical office will have greater security requirements than a building contractor. That being said, each one should still take precautions to ensure they are protected from data breaches and leaks.  Also, if a business deals with highly sensitive information, it should check its insurance policy to see if it is covered for data breaches.

One final tip to remember is that each text message or email that is sent internally, to clients, or to outside parties, creates a written record that can later be used in and out of court.  As Sony executives have learned, one may want to think twice before disparaging a top producing client and/or business partner.  Words written in the heat of the moment may later come back to haunt you.

If you have questions about security issues and making sure your business is compliant, the attorneys at BFAS are here to provide you support and guidance.  As the consequences for failing to secure data are becoming increasingly severe, it is important to make sure your business reduces its risk and protects itself in the future.                                                                                

Stacie D. Nyborg, Attorney

SNyborg@BFASLaw.com

(Direct) 805.966.7511

DISCLAIMER:  This Advisor is one of a series of business, real estate, employment and tax advisories prepared by the attorneys at Buynak, Fauver, Archbald & Spray, LLP. This Advisor is not exhaustive, nor is it legal advice. You should discuss your particular situation with us or with your own attorney. Our legal representation is only undertaken through a written engagement letter and not by the distribution of this legal Advisor.