Tuesday, May 24, 2011

Sony PSN Continued

I was curious to see whether the Sony figure of $150 million included any fines or other breakdown on how the financial impack might play out. Sony's financial forecast revision statement to their investors appears to not address fines from Visa or others. They also, rightly, do not speculate on what a settlement package might look like from the class action settlements that have already been filed.

To be clear, fines will probably be very steep. Comparing the Sony breach to Heartland Payments gives us a good picture to start with. Heartland was fined $60 million by Visa. $41.4 million by MasterCard, as well as $3.6 million by American Express. Heartland lost over 100 million debit and credit card numbers. Sony may have only lost a quarter of the credit card numbers, but I think the monetary penalty will be higher because of the extent of the breach and the foreknowledge that Sony might have had. Also the PCI Standards council has put a lot of work in using Heartland and TJX as example cases over the past several years. With such a large company being breached, they are likely to make another example out of them.

Monday, May 23, 2011

Sony PSN Breach

One of the reasons I decided to start an Information Security blog is that after researching some of the issues around the Sony PlayStation Network Breach that occurred in April I was left with more questions than answers. One of the things that I’ve noted is that there are very few blogs out there that deal with legal issues in Information Security, so it is my hope that I can shed some light on this network breach and other major developments related to the law.

Before I dive into the legal issues, I want to talk about the scope of the Sony breach:

In my humble estimation the Sony PlayStation network breach may cost the company nearly $350 million this year alone. This is just a ballpark number, estimated based on previous major breaches over the past several years. If you are a Sony shareholder, please don’t take this as an actual evaluation of your company’s damages. The company announced today that it expects the damages to be $150 million, but I think this leaves out the fines that should be coming soon from Visa, Mastercard, etc. The real danger to Sony isn’t the costs due to the breach. Let’s be honest, a third of a Billion dollars is just a drop in the bucket for Sony. To put things in perspective a little further, Microsoft’s Red Ring of Death cost the company well over $1 billion. The real danger is the potential for loss of reputation: Developers jumping ship for Xbox or Nintendo. Gamers leaving the console for another platform. And the longer the outage continues, the greater the likelihood that these customers will never come back, similar to how the baseball lockout effected the sport or the UPS strike permanently lost many of the company’s big clients.

Below is my breakdown of what the total cost of the breach might look like:

  • $150 million –Fines from Visa, Mastercard, Amex, Discover
  • $10 million –Lost income from PSN (PlayStation plus accounts, game downloads, etc.)
  • $10 million – free PlayStation plus accounts
  • $100 million – Credit monitoring
  • $10 million – Class Action Lawsuit Settlement
  • $10 million – state & Federal legal action
  • $10 million – Legal Fees
  • $10 million – Costs of Breach Notification
  • $10 million – Costs of Security Investigation
  • $20 million – Costs of Security Hardening
  • ??? – Lost Goodwill

If it proves to be true that Sony was running an unpatched version of the Apache Web Server, this could be very damming to the company. Dr. Gene Spafford of Purdue testified to congress that the vulnerability was mentioned on open web forums for nearly 3 months before the outage. What is unclear is how Sony could have passed PCI audits during this period. Presumably Sony is a Tier 1 or Tier 2 Card Processor, which subjects it to the highest levels of security scrutiny. An annual external audit needs to be completed annually, and electronic security scans need to be performed at least quarterly to determine whether servers have been patched. The issues with their PCI program will likely lead to increased fines from the major card brands.

As you can see from the above, the legal aspects of the Sony breach will probably be only a small portion of the overall cost to the company, maybe only around 10%. So why focus on the legal issues? Legal issues will drive the future response of the company. Sony has a history of bad actions with respect to its customers (deceptive practices, installing malicious software, etc.) so we shouldn’t rely on the good faith of the company alone to protect its customer’s data.

Questions/topics for future blogs:

  • Does the Sony breach have any ramifications for previous settlements with regard to information security? Most notably the Rootkit settlements in 2007.
  • What are the larger ramifications to information Security Law as a whole? Will this make it more likely for new legislation to be passed?
  • Is the breach beneficial to Information Security as a whole? Sony’s Playstation security itself was one of the last consoles to be cracked by a hacker. Sony’s prosecution of the hacker is what, on the face of things, precipitated the events (although the vulnerability of Sony’s network would most likely have been exploited eventually, anyway).
  • What would be more effective in changing the culture at Sony? The new federal legislation that is being considered on Information Security? Or the continued targeting of Sony's sites and affiliates around the world?
  • Do Information Security laws have any meaning when they can be circumvented so easily by hacking from countries that don't recognize the validity of those laws?
  • Is the legal system too slow to deal with these kinds of issues.

Thursday, May 19, 2011

IANAL, But.

The word most written on the Internet after the acronym, IANAL is "But." The acronym, if you're not familiar, stands for "I am not a lawyer." The author of the article, post, or blog will then go on to elaborate on a legal concept or issue.

The greatness of the Internet is that it allows anyone to be an expert on anything. And I'm not being sarcastic here. I really mean that.

One reason for this is that lawyers don't provide legal advice to individuals who aren't their clients. If they do give advice, then there is a danger that the individual who they gave the advice to will become their de facto client. This means the Internet is missing a wealth of advice from a whole profession...unlike other professions like Doctors who share medical advice in a variety of forums. The vacuum that lawyers leave is filled with the thoughts of others...sometimes with great insight. Unfortunately, you still need to go offline to get legal advice.

Another reason that lawyers don't give advice online is that an attorney needs to be licensed to practice in each state where they plan to work. If an attorney gives advice to an open forum across the country or across the world, he can be considered to be practicing in jurisdictions where he is not admitted to the bar. That's called malpractice (for all of you non-lawyers out there.)

All of this is to say that there is a wealth of information out there. This blog hopes to be educational on issues around information security (without giving legal advice, of course). Ultimately, I'd like to elevate the discussion around legal issues in information security, hacking, etc. by participating in the dialogue that is already happening. Hopefully someone finds it helpful and keeps the cycle going.

I am a lawyer (IAAL), but nothing that follows should be considered legal advice. What I write here should be for informational purposes only. I am not your attorney. Please consult one before making any big life decisions.