5:00am PT by Eriq Gardner
Sony Hack: Legal Risks for Years to Come
A version of this story first appeared in the Dec. 19 issue of The Hollywood Reporter magazine.
The sheer scope of the Sony data breach creates a nightmare not restricted to the realms of embarrassing (candid emails from studio co-chairman Amy Pascal to producer Scott Rudin) or dangerous (47,000 Social Security numbers, including for Sylvester Stallone and Judd Apatow). The massive hack by the so-called Guardians of Peace and ongoing leaks could raise unprecedented legal issues for Sony for years to come.
For example, consider a few red flags. A leaked spreadsheet titled "Comp Roster by Supervisory Organization 2014-10-21" includes detailed data about the salaries and bonuses of thousands of Sony Pictures employees. The document reveals that the highest earners at the company are almost all white males. The data seemingly could be used to support a gender or race discrimination lawsuit by Sony employees or by minorities who have applied for jobs at the company. And yes, other documents from the hack indicate that Sony has in recent years faced such discrimination claims and quietly put them to bed.
Another document reveals lucrative syndication deals for Seinfeld, which was produced by Sony's television division. This pact is subject to a nondisclosure agreement that requires the parties to "maintain reasonable security measures to safeguard each other's personally identifiable information from loss, misuse, unauthorized access, disclosure, alteration or destruction," according to the document. Now-public details such as a $5.85 million deal to license the show for the next three years to Tribune Broadcasting seemingly would run afoul of NDA clauses if Sony is found to have not taken appropriate precautions to protect itself from a hack. Sony itself made NDA agreements with entertainment and media companies like Al Jazeera, BBC and Ovation, according to the documents. The studio acknowledged it would take no less than "a reasonable degree of care" and made potential partners agree that they "maintain reasonable security measures to safeguard Sony Pictures' personally identifiable information from loss, misuse, unauthorized access, disclosure, alteration or destruction."
Another leaked document showcases "ultimates," the closely guarded long-term profitability of Sony films. Profit participants such as actors and directors (and their agents) now can compare the numbers to what they've seen in their own profit statements. Yet another document showcases the movie bundles that Sony was shopping to TV outlets. In Hollywood, the practice of "straight lining," or giving films of varying popularity the same value when it comes time to account for profits, has sparked legal actions. For example, "Broadcast Favorites II" features a package that includes The Covenant, Crossover and Gridiron Gang. A profit participant in one of the movies might not like it being grouped with and valued the same as the others. Plus, there's the still-novel issue of distribution fees in the world of digital. Some of the leaked documents reveal the terms of Sony's take when doing deals with digital giants like Google and Apple.
Sony already has laid the groundwork for an argument that it could not have prevented the hack, whether it originated in North Korea or elsewhere, or whether it had anything to do with the upcoming comedy The Interview. Sony Pictures CEO Michael Lynton on Dec. 7 sent a company-wide email that included a note from Kevin Mandia, head of Sony's cybersecurity firm Mandiant, calling the attack "unprecedented in nature" and noting that "neither SPE nor other companies could have been fully prepared." Says Ken Levine, president and CEO of Digital Guardian, which consults for several film companies, "[Mandiant] is clearly offering Sony the opportunity to hide behind the veil of advanced persistent threats."
But this could be the tip of the iceberg for a company that unwillingly has been thrust into near transparency. Entertainment lawyers polled by THR say they will be scrutinizing Sony's leaked information to analyze whether clients are getting everything that has been contractually promised. Many talent deals contain "most favored nation" clauses, so the hacked data represents an unexpected opportunity to find "smoking guns" that show the studio hasn't been honest. "When you are litigating against studios, getting documents through discovery can be hard," says James Janowitz, a partner at Pryor Cashman who represents talent. "Now suddenly someone pulls down the curtain."
Jeremy Goldman, a talent attorney at Frankfurt Kurnit, says that even if the profitability of Sony's films doesn't diverge from statements given to producers and actors, lawyers can benefit from an inside peek at what Sony's actual overhead is for distributing films. Usually, they never get to see such information, instead negotiating fees based on percentages, but thanks to the leak, they could now figure out whether Sony (and maybe other studios) charges higher-than-necessary expense costs. "Getting those ultimate numbers will potentially drive a change in leverage in favor of profit participants," says Goldman.
If disputes do arise, courts will have to decide whether leaked information can be used as evidence against Sony. Attorneys with whom THR spoke seem to have differing opinions. Some believe judges will allow hacked data such as salaries and profitability as long as litigants weren't responsible for the leak. Others argue that judges won't want to encourage future hackers. The debate suggests that side disputes could arise over whether Sony breached its duties by not employing stronger encryption or heeding the warning of risk assessments. Earlier this year, Sony paid $15 million in free games and other remuneration to settle legal claims over an alleged breach of consumer data of 77 million users of its PlayStation Network.
"It could be argued that Sony waived privilege if they didn't keep adequate measures to keep [information] confidential," says Peter Toren at Weisbrod Matteis & Copley. The attorney, who formerly worked in the DOJ's computer crimes division, also believes that standards will be examined in any lawsuits over breached NDAs.
And even if judges rule that things like a copy of a salary chart floating around the Internet aren't admissible, what's going to stop a class action lawyer from making an identical claim in a lawsuit, then pushing for the same document through the discovery process? Now that eyes are open, it might be hard to shut them.
Tatiana Siegel contributed to this report.