Cloud Hosting Becomes More Appealing for Data Security as the Costs of Cyber Attacks Add Up: A Lesson From Sony Pictures Entertainment

This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.

The cyber-attack on Sony Pictures Entertainment, allegedly incited by the proposed release of the movie “The Interview” can provide a hard but necessary lesson for businesses considering the costs of managing and securing their information assets in-house rather than leveraging cloud hosting.

Indeed, the Sony hack is yet another example of the practical affects to a company’s bottom line that result from a large scale data security breach. One analyst is projecting that this breach could cost Sony as much as $100 million, not counting the unquantifiable loss in goodwill.  Sony has had to invest time and money to determine the cause of the security breach, the extent to which its files have been accessed and disseminated, and to reconfigure and redesign its data security policies. The company will also have to continue to spend money to pay for lawyers and others to try to mitigate its exposure. These legal steps have included cease and desist letters to all of the publications and outlets that have been publishing information obtained from the leak and defending the company in a recently filed class action law suit litigation from employees and, perhaps, later from shareholders alleging corporate waste and violations of directors’ fiduciary duty in failing to have adequate data security controls. The fees will also most likely include responding to investigations from governmental agencies that may include the Federal Trade Commission and Securities and Exchange Commission and, perhaps, state attorneys general.

Sony has also lost an immeasurable amount of goodwill and other valuable assets like strategic planning and trade secrets that affect a corporation’s profits. During the cyber attack, the hackers obtained confidential personnel records of its employees and numerous embarrassing emails from executives, all of which endanger Sony’s relationships with current and future employees, vendors and contractors, and talent. Other information obtained in the breach, like marketing information and strategies, forthcoming movies, documents relating to negotiating tactics, and other trade secrets will also cost Sony financially in terms of lost profits and competitive advantage, though a fixed number will be difficult to determine. Companies that do business with Sony, or whose managements receive guidance from Sony executives who sit on a company’s Board of Directors may also suffer losses, as communications between the company and a Board member who is a Sony executive that contain business-related information and strategy become public.

Against the backdrop of the costs of a data security breach of this scale, the potential value associated with moving an organization’s data to the cloud for storage and management becomes clearer. While cloud hosting is no guarantee against a massive cyber-attack, there are still potential benefits. The fees paid to purchase storage through a vendor leverage the cyber security experience of the cloud provider as a core business competency. That is, data security, to a great extent, the cloud hosting provider’s raison d’etre, at the heart of its business model and offerings. In addition, the move to a cloud platform may provide a level of defensibility with regard to investigations or litigation because cloud hosting providers typically employ the most current data security features, obtain independent security certifications, and regularly perform documented audits of their systems. Therefore, an organization may be able to establish that it conducted proper due diligence by reviewing the cloud vendor’s data security documentation and thus exercised reasonable steps to prevent a breach.

—

By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Barton, LLP.