Sony Hack: Legal Department Under Microscope After Latest Leak

Was the threat of data breaches enough of a priority at the company?

As Sony Pictures' legal department confronts the ongoing nightmare of the studio being hacked recently, it must also look in the mirror as the latest leak from hackers focuses on communications by general counsel Leah Weil and other in-house attorneys.

In the year heading up to the hack, company lawyers discussed document retention policies — a subject that is certainly common inside legal departments in corporate America, but one that suddenly looks sadly ironic given what's transpired. According to Gizmodo, in a message titled "email purge," Weil argued with a colleague about whether the company should take a more cautious approach to retaining emails. "While undoubtedly there will be emails that need to be retained and or stored electronically in a system other than email, many can be deleted and I am informed by our IT colleagues that our current use of the email system for virtually everything is not the best way to do this," she wrote.

Read more Kevin Hart on Sony Email Exchange: "I Will Never Allow Myself to Be Taken Advantage Of"

Meanwhile, Sony's legal department has faced hacking incidents before. Most notoriously, there was the breach of consumer data of 77 million users of its PlayStation Network, but there were also more low-key affairs.

For instance, Gawker has published emails from vp legal compliance Courtney Schaberg to Weil about a breach last February where the company apparently had some of its Brazilian files snatched. Ultimately, after some discussion about the fact that Brazil didn't have a breach notification law, Sony decided not to notify individuals or go public about that attack.

The coming days could be filled with more stories about Sony's efforts before the hack, as a report from one cybersecurity firm indicates that the Weil files go into such subjects as internal discussions about the hacktivist group Anonymous as well as how to respond to past hacking incidents on social media. There reportedly are discussions about whether Mark Zuckerberg would sue over The Social Network and whether Rupert Murdoch's name could be used in the potential George Clooney movie about hacking at News Corp.'s British tabloids.

Whether Sony did enough before the hack is a topic that also could invite much discussion in potential court cases.

Read more Sony Hack: Legal Risks for Years to Come

Data security breaches weren't a big line item in the legal department's budget, according to leaked documents. Instead, a lot more money was spent on an ongoing lawsuit over home video royalties, idea theft claims over The Talk and Premium Rush, participation claims by David Cassidy, and most especially, the SEC's investigation on how movies are distributed in China. The last item, reportedly a probe into whether Hollywood studios violated the Foreign Corrupt Practices Act, commanded nearly 30 percent of the litigation budget, potentially a sign of how serious Sony considered it. (Other companies like Deloitte have fought SEC subpoenas over practices in China with fears of running into Chinese secrecy laws — perhaps something to keep an eye on going forward.)

Of course, even though Sony Pictures CEO Michael Lynton on Dec. 7 sent a company-wide email that included a note from Kevin Mandia, head of Sony's cybersecurity firm Mandiant, calling the attack "unprecedented in nature" and noting that "neither SPE nor other companies could have been fully prepared," it would be a mistake to say that the company's lawyers totally ignored potential threats. In fact, according to board minutes, Weil briefed the company's directors, including Lynton, on June 4 about potential compliance risks including information security and privacy.

Twitter: @eriqgardner

comments powered by Disqus