One of the reasons I decided to start an Information Security blog is that after researching some of the issues around the Sony PlayStation Network Breach that occurred in April I was left with more questions than answers. One of the things that I’ve noted is that there are very few blogs out there that deal with legal issues in Information Security, so it is my hope that I can shed some light on this network breach and other major developments related to the law.
Before I dive into the legal issues, I want to talk about the scope of the Sony breach:
In my humble estimation the Sony PlayStation network breach may cost the company nearly $350 million this year alone. This is just a ballpark number, estimated based on previous major breaches over the past several years. If you are a Sony shareholder, please don’t take this as an actual evaluation of your company’s damages. The company announced today that it expects the damages to be $150 million, but I think this leaves out the fines that should be coming soon from Visa, Mastercard, etc. The real danger to Sony isn’t the costs due to the breach. Let’s be honest, a third of a Billion dollars is just a drop in the bucket for Sony. To put things in perspective a little further, Microsoft’s Red Ring of Death cost the company well over $1 billion. The real danger is the potential for loss of reputation: Developers jumping ship for Xbox or Nintendo. Gamers leaving the console for another platform. And the longer the outage continues, the greater the likelihood that these customers will never come back, similar to how the baseball lockout effected the sport or the UPS strike permanently lost many of the company’s big clients.
Below is my breakdown of what the total cost of the breach might look like:
- $150 million –Fines from Visa, Mastercard, Amex, Discover
- $10 million –Lost income from PSN (PlayStation plus accounts, game downloads, etc.)
- $10 million – free PlayStation plus accounts
- $100 million – Credit monitoring
- $10 million – Class Action Lawsuit Settlement
- $10 million – state & Federal legal action
- $10 million – Legal Fees
- $10 million – Costs of Breach Notification
- $10 million – Costs of Security Investigation
- $20 million – Costs of Security Hardening
- ??? – Lost Goodwill
If it proves to be true that Sony was running an unpatched version of the Apache Web Server, this could be very damming to the company. Dr. Gene Spafford of Purdue testified to congress that the vulnerability was mentioned on open web forums for nearly 3 months before the outage. What is unclear is how Sony could have passed PCI audits during this period. Presumably Sony is a Tier 1 or Tier 2 Card Processor, which subjects it to the highest levels of security scrutiny. An annual external audit needs to be completed annually, and electronic security scans need to be performed at least quarterly to determine whether servers have been patched. The issues with their PCI program will likely lead to increased fines from the major card brands.
As you can see from the above, the legal aspects of the Sony breach will probably be only a small portion of the overall cost to the company, maybe only around 10%. So why focus on the legal issues? Legal issues will drive the future response of the company. Sony has a history of bad actions with respect to its customers (deceptive practices, installing malicious software, etc.) so we shouldn’t rely on the good faith of the company alone to protect its customer’s data.
Questions/topics for future blogs:
- Does the Sony breach have any ramifications for previous settlements with regard to information security? Most notably the Rootkit settlements in 2007.
- What are the larger ramifications to information Security Law as a whole? Will this make it more likely for new legislation to be passed?
- Is the breach beneficial to Information Security as a whole? Sony’s Playstation security itself was one of the last consoles to be cracked by a hacker. Sony’s prosecution of the hacker is what, on the face of things, precipitated the events (although the vulnerability of Sony’s network would most likely have been exploited eventually, anyway).
- What would be more effective in changing the culture at Sony? The new federal legislation that is being considered on Information Security? Or the continued targeting of Sony's sites and affiliates around the world?
- Do Information Security laws have any meaning when they can be circumvented so easily by hacking from countries that don't recognize the validity of those laws?
- Is the legal system too slow to deal with these kinds of issues.