December 12, 2014
By Marc Fogarty, CPA, CFE
It is a misconception that if your company or organization doesn’t store financial information, then you aren’t at risk for a cyber-attack. The recent Sony Pictures data breach clearly shows that this is not the case. The fallout from this scandal will be different than a financial security breach like the ones that happened this year with Target and Home Depot.
With a financial security breach, customer data is exposed and can be used for identify theft or credit card fraud. What makes this situation unique is the type of data that was exposed and the reputational and possible legal implications from this exposure.
Here is the crux of what's in the news: It was originally postulated that the Sony cyber-attack occurred due to a disgruntled employee. Later, the attack was attributed to sympathizers with the North Korean government. The group claimed to be protesting the contents of a specific film which showed an assassination attempt on the North Korean dictator, Kim Jong Un. A separate online posting threatened physical attacks on theaters that show the film, which were credible enough to be considered a threat by homeland security and caused Sony to cancel the film's release.
Regardless of who committed the offense, companies of all sizes are at risk from a malicious attack that may have nothing to do with money. The Sony data breach exposed sensitive data such as internal and external communications, employee social security numbers, birth dates, health records and salaries.
It is one thing to expose customer's financial information, but quite another to expose sensitive data and the private communications of employees upon whom the company relies. A privacy breach may make employees feel a lack of care and respect for their personal information, and the feeling that their employer betrayed them. Reputational problems aside, there are also legal implications to the data that was exposed. In mid-December, it was announced that two former employees are suing Sony over privacy issues related to the data breach. This could have much more serious consequences since, in the state of California, it is a company’s legal responsibility to secure employee medical information. If that isn’t bad enough, Sony is also an international company and could face legal ramifications in other regions like Europe, which have their own version of data protection laws.
Internal and external company communications were also exposed that involved business partners, celebrities and others. These leaked emails and correspondence could consequently cause physical, reputation or financial damage to those third parties, who could then have a possible legal claim.
In the end, it is highly probable that Sony Pictures will survive this fiasco and return to business as usual because of their size and financial resources. Their defense is also bolstered by the U.S. government, who wants to pursue the attackers, since the breach accompanied a terrorist threat to theaters and an attack on Sony's ‘freedom of speech’ rights to make the movie. But it begs the question: What would happen to a small or mid-size company under similar circumstances? Could they survive the fallout from such a serious data breach?
If you think your company’s data isn’t at risk, think again. Every company has internal and external emails and records that contain confidential information and sensitive employee information such as addresses, social security numbers, dates of birth, performance reviews, salaries, resignation letters and more. The Sony data breach is a wakeup call for all companies to re-examine their cyber risk and take appropriate measures to minimize that risk as much as possible.