Back in the 1960’s, legendary bluesman Muddy Waters wrote a song called “You Can’t Lose What You Ain’t Never Had.”
Now, it is Sony Pictures that is singing the blues, as damages continue to mount following the cyber attack on its data networks just before Thanksgiving. A shadowy group with possible connections to the North Korean government has claimed responsibility for the hack, which, to date, has resulted in exposure of Sony intellectual property (e.g., movie scripts), trade secrets (e.g., film budgets), employee personal information (e.g., employee and former employee home addresses and social security numbers) and other sensitive information (e.g., actor travel aliases and phone numbers).
I’m no cybersecurity expert, but I’m at the point where I seriously doubt any currently available data security technology is totally hack-proof. Who knows, there may have been precious little that Sony could have done to prevent the loss of its intellectual property and trade secret information to determined hackers. Let’s face it, some of the most highly sophisticated corporations and government agencies have been victimized by cyber attacks in the last year. But the same really can’t be said for their employee data.
News reports have consistently stated that the Sony hacking exposed a total of 47,000 employee and former employee social security numbers to public viewing. At present, Sony only has approximately 6,500 employees, so that means that more than 40,000 of the people whose information was exposed no longer work there. Incredibly, according to the Wall Street Journal, the data exposed included the social security numbers of former employees who had left Sony’s employ 14 years ago.
So, while I’m sure there will be many lessons for employers (and businesses in general) to learn from this episode, the following takeaways focus on the 47,000 employees and former employees whose personal information now resides on the Internet.
- Employers should limit their collection of applicant and employee personal information to only that which is absolutely needed and limit the use of that personal data for the necessary purpose for which it was requested (typically for background checks, employment eligibility verification, and to report earnings and payroll taxes).
- Employee personal information should be stored securely and with limited access rights (i.e., don’t make it easy for the hacker to steal).
- Once the information is no longer needed, dispose of it in a secure manner.
In other words, as Muddy Waters sang: “You can’t lose what you ain’t never had.”