Every day the news seems to include a new disclosure of a data breach where parties unknown obtain customer information from an organization. For the most part, this has become a routine element of life in the Information Age.
Hacks set off a chain reaction of new credit cards, “complimentary” data protection, and apologies. The costs of such breaches have seemingly been factored into the cost of doing business, and this had become easy to measure by taking stock of the number and complexity of user records obtained.
This changed recently. The cost of the December 2014 hack of Sony Pictures Entertainment is difficult to quantify. Unlike most previous data breaches, the hackers used accessed records to attack Sony’s identity. It was a personal attack, and like an ex’s angry posting of intimate pictures, thoroughly embarrassing.
Sony’s friends — including actors, producers and directors — were caught in unflattering casual conversations. Its business affairs were laid open, exposing such things as glaring pay disparities. Its shared secret strategy against Google was laid bare. Its life was thrown into chaos as daily lives of its employees and its business operations were crippled by the corruption of its IT infrastructure. The hack and the use of acquired data wounded Sony far more grievously than the earlier hacks of its customers’ data.
The horrible truth is that most organizations are terribly vulnerable to hacking. They keep digital records of their activities. Their employees are human and vulnerable to social engineering attacks. Their infrastructure is often unpatched, outdated and insecure. They may not have backups. What’s more, even organizations with good security can get hacked. Hacking tools are easily obtained and increasingly user friendly. The advantage in cybersecurity rests with the offense.
Corporations have secrets too. Organizations fighting lawsuits have information they would prefer not to share. They engage in strategies that are more effective if not publicized. Information covered by non-disclosure agreements is a prime target. The silence of Hollywood following the Sony hack was a mute testament to the industry’s dawning realization that it was just as vulnerable.
Inadvertent or intentional illegality is also a problem. Organizations and the laws that regulate them are complex. Even law-abiding organizations sometimes accidentally run afoul of the law, finding themselves in the government’s legal crosshairs and subject to penalties. Less scrupulous organizations actively engage in illegal practices and risk dire legal proceedings. Movies such as “Erin Brockovich” and “The Informer” provide ready-made, true-life, cautionary tales to organizations. The penalties for corporate malfeasance can be ruinous.
Corporations and advocacy organizations make enemies, and the battles between these actors frequently take place in the courts. Court actions take time and money, which opposing litigants may lack. In a hypothetical David vs. Goliath legal match up, some Davids may view hactivism as a just recourse, especially if they believe that their foe is already engaging in unlawful behavior and require evidence they believe is hidden. Some activists already skirt the bounds of legality combatting organizational “evils.”
One need look no further than the righteous if dangerous efforts depicted in the TV series “Whale Wars.” After spending years in court fighting lopsided battles with corporate legal counsel, activists might be inspired by some of the outcomes of the Sony hack or the example of NSA record leaker Edward Snowden. Aggrieved parties who feel that the justice system is failing them will increasingly resort to attacks upon corporate persons.
Organizations will invest in increasingly expensive cybersecurity. Already the corporate cybersecurity market is white hot with no cool down in sight. With hackers targeting them rather than their users, organizations will suddenly be much more interested in strengthening hacking laws and penalties.
The gold lining of this cloud of increasingly draconian regulation will be the accompanying strengthening of privacy protections. This will in turn raise the cost of data breaches. It is unlikely that it will significantly deter motivated hackers. Organizations will need to begin tracking the hacking capabilities of their competitors and enemies.
At the end of the day, the greatest effect may likely be to further deter unsavory or illegal business practices that disclosed might pose a significant risk to the organization and its leaders.
We increasingly think of organizations and corporations as enjoying a personal existence. We have not given much consideration to the costs of personhood and neither have they. Few of them have the capacity to evoke sympathy in people, and they should not expect this to change in the foreseeable future.