October 20, 2021

Volume XI, Number 293

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis

SONY Pictures Breach Stresses Need to Revisit Document and Email Retention Policies

The SONY Pictures cybersecurity breach playing out in public over the last few weeks is just the latest in a series of high profile cybersecurity breaches.  This one is a little different than some of the other commercial breaches we have been learning about recently, because in addition to sensitive personally identifiable information, it also involves highly confidential and personal emails, communications written with the expectation that only the sender and receiver of the email would ever see them.

Two excellent articles in today’s Wall Street Journal highlight some of the expanding implications of the breach. First, one article highlights the concern that while companies have focused on cybersecurity with respect to “sensitive” information, the focus has not been as vigorous on general email data. The article points out that since the SONY breach, executives are taking steps to reduce or control the use of email so that if communications are leaked, it is not as harmful to an organization.   For example, the article cites an executive recommending picking up the phone or visiting someone’s office rather than sending an email. I personally am not sure that is a practical alternative for all organizations, particularly for a large multi-national corporation or a company with a sizeable number of employees working remotely.

The second article cites the risk associated with emailing a business partner, as those communications are only as secure as the partner’s level of security for such communications.

In the wake of the incident, I expect that we will see a renewed focus on the security of all electronic data, including email.  One suggestion is that companies update their record retention practices in light of the security incidents of the last few years.  This includes updating their record retention policies, and perhaps implementing technical means to enforce those policies.  A reasonable record retention policy, instituted in good faith and properly managed to retain documents as required by law, can allow for the lawful, periodic deletion of non-essential business emails like the ones that came to light in the SONY breach.  See generally Rattray v. Woodbury County, Iowa, 761 F.Supp.2d 836 (N.D. Iowa 2010) (discussing a document retention policy with respect to the spoliation of evidence during litigation).

Also, I suspect that we will see organizations seek to mitigate this risk through other approaches, including technical approaches (systems and audits),more focused training, contractual approaches and governance initiatives, as well as, if necessary, through the prospect of litigation (as SONY recently did by instructing their attorney to send a letter to news organizations demanding, among other things, that they destroy any leaked information in their possession).

© 2021 Proskauer Rose LLP. National Law Review, Volume IV, Number 352
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jeffrey D Neuburger, Proskauer Rose Law Firm, Technology Attorney
Partner

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law...

212-969-3075
Advertisement
Advertisement
Advertisement