As Sony Pictures fights an uphill battle, working to minimize the post-breach damage while leaks continue to surface, the company's legal team has delivered a stern message to media covering the developments.
So far, a number of major publications, including The New York Times and The Hollywood Reporter, along with security journalist Brian Krebs, have received a three-page letter from Sony's attorney David Boies requesting that they destroy “stolen information” being disseminated in the Sony attack.
On Sunday, Re/code, which also received the request, published the letter in full.
“We are writing to ensure that you are aware that SPE [Sony Pictures Entertainment] does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the stolen information, and to request your cooperation in destroying the stolen information,” the letter reads.
Boies also demanded that reporters notify the law firm, “as soon as you suspect that you may have possession of any of the stolen information,” and after destroying it, “confirm that such destruction has been completed.”
“If you do not comply with this request, and the stolen information is used or disseminated by you in any manner, SPE will have no choice but to hold you responsible for any damage or loss arising from use or dissemination by you…,” the letter warned.
This weekend, almost in tandem with Sony's counsel's warning, more leaks reportedly surfaced, including a draft of the screenplay for the next James Bond movie, “Spectre,” and emails belonging to Sony Pictures Releasing International President Steven O'Dell.
While hackers promise that more information will be dumped, particularly another trove of data Christmas day, the extent of the information exposed by the Sony breach, announced Nov. 24, is already quite extensive. One firm, Identity Finder, assessed the damage and estimated that more than 47,000 Social Security numbers were stolen from the entertainment giant. Previously, it was reported that corporate data, including employee birth dates, medical information, login credentials and sensitive human resources data (like salaries and information on terminations) was exposed. Several Sony films, including “Annie,” were also leaked online.
Mark Grossman, an attorney who chairs the technology law group at Tannenbaum Helpern Syracuse & Hirschtritt, told SCMagazine.com in a Monday interview that Sony is “really grasping at straws and trying to intimidate news organizations into not publishing the illegally obtained information.”
“Even if it's Social Security numbers that were stolen, Sony doesn't necessarily have that onus to bring that lawsuit. The owner of the Social Security number would have to [do that]. So they even have diminished rights there,” he said of the company.
Grossman did say that the move may have its “intended effect” on smaller publications that have less resources to take on a major corporation like Sony in court.
“They could take on Sony and still be out half a million dollars in legal fees,” Grossman said.
Richard Martinez, a partner at law firm Robins, Kaplan, Miller & Ciresi, who chairs the firm's cyber security and data privacy practice, said in a Monday interview that Sony is “trying to make media outlets raise the bar for what will or won't be disclosed,” regarding the breach, “with the hope that ultimately less, rather than more [information] will leak out.”
In Martinez's opinion, however, “it remains to be seen” whether Sony has a sound case against those publishing information about the leaked documents. He offered that the company may be using the letter as leverage to protect itself, should the data breach result in lawsuits by affected individuals.
“I would say from a legal standpoint that it was wise to put media outlets on [notice] that they didn't consent to the release of this information,” Martinez said. “If Sony is ultimately sued by these [affected] individuals, they may want to show they've taken the steps to protect this information,” he explained later.
Martinez also emphasized the point that Boies specifically referenced certain types of "protected information" in the letter – such as attorney-client privileged communications, intellectual property, and trade secrets.
But, such categories of information are protected “so long as their confidentiality is maintained,” in the first place, Martinez said.
“If that information, like attorney-client privileged [data], intellectual property and trade secrets, is out in the public, those protections can be lost, so that's sort of the risk or catch-22 that Sony faces in this area,” he said.