Trade Secret Liability for the Sony Hacks
In the wake of one of the most devastating corporate hacks in history, Sony Pictures Entertainment (“SPE”) has been forced to watch a torrent of secret documents, lurid exchanges, and employees’ personal information flood the far reaches of the internet. SPE, in an apparent attempt to stem the tide of the leaks, recently demanded that major news organizations stop publishing hacked information. While these demands raise a whole host of legal questions the vast majority of which are well beyond the scope of this post perhaps the most intriguing ground raised by SPE is trade secret protection. Though often underutilized, trade secret law protects a remarkably wide range of subject matter, potentially including much of the hacked SPE information.
The moniker “trade secret” most often conjures up images of drink formulas and blends of herbs and spices, but in practice, trade secrets more commonly include customer lists, business plans, or processes used to increase efficiency. This is just the tip of the iceberg, however, as a trade secret can be virtually any form of information, including compilations, programs, devices, or processes. What really makes information a trade is secret is that it (1) is the subject of reasonable efforts to maintain its secrecy and (2) derives economic value from not being generally known or readily ascertainable.
Turning to the specific information hacked from SPE, it is, of course, questionable that the stolen items were subject to sufficient efforts to maintain their secrecy considering the success and extent of the hacks. The law does not generally require extraordinary efforts by businesses, but in a modern era of massive data breaches and international information leaks, this case may present interesting insight into what anti-hacking measures are to be expected of large businesses. Until more details are unveiled, we can only assume, based on Sony’s past efforts to bolster its cybersecurity after attacks on its PlayStation Network, that SPE had some passable cybersecurity system in place.
While the details of how the hacks occurred are still being investigated, there have been innumerable reports of what was taken. Several items relate to individual projects, including talent aliases and contact information, public relations strategies, and actor payouts. Other items relate to more general business operations, including detailed reports of employee and executive compensation, lists of frequent financial backers, summaries of sales meeting with local TV executives, and film profitability. There is little question that this kind of information could be valuable to competitors looking to enhance their ability to attract talent for new projects or streamline business processes. There is also little question that this information is difficult to acquire by proper means given contractual confidentiality provisions and a general disinclination of celebrities and investors to openly share their contact information with the public. The costs of acquiring this kind of information in the first instance can be incredibly high, and is exactly the kind of investment that SPE has put into acquiring such information that trade secret law seeks to protect.
Of course, just because SPE may have legitimate trade secrets does not explain why news organizations may be liable for publishing those secrets. Although the actual hackers could be liable under a host of criminal and civil laws, there is not yet any indication that they will be identifiable, or even reachable by U.S. authorities. News organizations, however, may be liable for disclosure of the hacked information since trade secret law creates liability for third parties who did not actively participate in stealing secrets. This occurs when the third party further discloses the information despite knowing or having reason to know that it was improperly acquired. In SPE’s situation, news organizations have not only been warned by SPE that the information was wrongfully acquired, but the news organizations themselves have consistently reported on how hackers stole troves of SPE files.
With the essential elements of a trade secret misappropriation claim plausibly established, a news organization may attempt to seek shelter in the First Amendment. Freedom of the press is, after all a fundamental tenet of our society, and courts generally do not want to restrain protected speech. However, this situation is (for now) a rarity, since past cases have generally dealt with very different topics that are central to political debate, e.g., foreign wars and national security. Trade secrets, by contrast, are typically matters of private concern, so the same First Amendment protections may not apply. If a lawsuit were ultimately to take place here, the decision could powerfully affect the way news organizations report hacking incidents for years to come.
How this situation will be resolved is impossible to predict at this point and countless questions remain to be answered. In the meantime, businesses should take this opportunity to reflect on how the potentially broad protections of trade secret law may apply to a wide variety of their proprietary information. Whether an attack comes from a hacker, a corporate spy, or a disgruntled employee, well prepared organizations may be able to recover for trade secret misappropriation from a number of different entities that use or disclose those secrets. All organizations should, therefore, take care to evaluate their methods of protecting trade secrets through contract terms, corporate culture, and technology.
By Robert N. Hunziker, Jr., Esq.