SONY Pictures Breach Stresses Need to Revisit Document and Email Retention Policies
The SONY Pictures cybersecurity breach playing out in public over the last few weeks is just the latest in a series of high profile cybersecurity breaches. This one is a little different than some of the other commercial breaches we have been learning about recently, because in addition to sensitive personally identifiable information, it also involves highly confidential and personal emails, communications written with the expectation that only the sender and receiver of the email would ever see them.
Two excellent articles in today’s Wall Street Journal highlight some of the expanding implications of the breach. First, one article highlights the concern that while companies have focused on cybersecurity with respect to “sensitive” information, the focus has not been as vigorous on general email data. The article points out that since the SONY breach, executives are taking steps to reduce or control the use of email so that if communications are leaked, it is not as harmful to an organization. For example, the article cites an executive recommending picking up the phone or visiting someone’s office rather than sending an email. I personally am not sure that is a practical alternative for all organizations, particularly for a large multi-national corporation or a company with a sizeable number of employees working remotely.
The second article cites the risk associated with emailing a business partner, as those communications are only as secure as the partner’s level of security for such communications.
In the wake of the incident, I expect that we will see a renewed focus on the security of all electronic data, including email. One suggestion is that companies update their record retention practices in light of the security incidents of the last few years. This includes updating their record retention policies, and perhaps implementing technical means to enforce those policies. A reasonable record retention policy, instituted in good faith and properly managed to retain documents as required by law, can allow for the lawful, periodic deletion of non-essential business emails like the ones that came to light in the SONY breach. See generally Rattray v. Woodbury County, Iowa, 761 F.Supp.2d 836 (N.D. Iowa 2010) (discussing a document retention policy with respect to the spoliation of evidence during litigation).
Also, I suspect that we will see organizations seek to mitigate this risk through other approaches, including technical approaches (systems and audits),more focused training, contractual approaches and governance initiatives, as well as, if necessary, through the prospect of litigation (as SONY recently did by instructing their attorney to send a letter to news organizations demanding, among other things, that they destroy any leaked information in their possession).