Sony Data Breach Prompts Enhanced Role for HR

Employee data needs to be encrypted, restricted, and segregated

By Steve Bates December 30, 2014

The historic Sony Pictures data breach is a “game changer” that should foster a greater role for HR in protecting sensitive information, data security experts said.

On Nov. 24, 2014, hackers who identified themselves as Guardians of Peace started releasing sensitive data stolen from the California movie studio’s computer systems. Initial headlines focused on embarrassing comments that studio officials made in e-mails about President Barack Obama and movie stars. Continued threats prompted Sony to delay the theatrical release of its movie “The Interview,” which depicts the fictional assassination of North Korean dictator Kim Jung Un. U.S. government officials said they believe that North Korea was behind the hacking and threats related to the film. The Christmas Day launch of the movie was initially cancelled before Sony announced a limited theatrical release scheduled for Dec. 25.

The theft and disclosure of personal information about current and former Sony employees and their families—reportedly including medical records—exacerbated the crisis. The data breach should worry HR professionals everywhere, experts said.

“This is the biggest game changer I’ve seen from a cybersecurity point of view,” said Morgan Wright, a Northern Virginia-based technology consultant to corporate and government leaders.

There are many kinds of data breaches. Some occur when hackers send out malware-infected e-mails by the thousands, hoping that some will be opened and provide access to users’ computer networks. Other attacks are targeted at specific government or private-sector systems. The Sony breach was unusual in that it constituted terrorism, experts said. The hackers released thousands of e-mails, executives’ salary information and about 47,000 current and former employees’ Social Security numbers. Subsequently, some workers received threatening e-mails related to the film’s release.

Sony offered its workforce identity theft protection services. However, the breach “is devastating for the employees,” said Adam Levin, founder and chairman of Arizona-based IDT911, an information security firm.

Some experts say that Sony could have done more to protect its most sensitive data. It had been the victim of previous hacking incidents, which constituted warnings, according to a class-action lawsuit filed against the studio on behalf of current and former employees. Experts add that many—if not most—employers in the U.S. are behind the curve on data security. HR and individuals will bear much of the burden of fighting new breaches, they emphasized.

“We are encountering a clear and quickly developing paradigm shift in data security,” said Kenneth K. Dort, a partner in law firm Drinker Biddle’s Intellectual Property Practice Group in Chicago.

The heightened risk necessitates “a strong partnership between HR and IT,” said Steve Miranda, SPHR, GPHR, managing director of Cornell University’s Center for Advanced Human Resource Studies. “HR doesn’t need to be a subject matter expert on data security. It does need to be aware of the types of challenges so that it can have an intelligent conversation with their IT partners.”

To enhance data security, experts say, organizations should:

  • Make a top-to-bottom commitment to protecting sensitive information.
  • Limit the data that they retain, including e-mails.
  • Improve network access and password procedures.
  • Focus on individual documents as well as system-wide security.
  • Minimize data access for employees’ personal devices.
  • Train all workers regularly on their roles in securing information.
  • Consider stronger screening of prospective employees who would have access to sensitive data.
  • Establish detailed policies on how to respond to a breach, including assistance to affected employees.

“This is truly cyber warfare. We need to recruit our employees to be part of our cybersecurity army,” said Connie Stack, chief marketing officer of security firm Digital Guardian, and based near Boston. “This is now part of how they get their job done. We’re going to have to build it in to how we do business.”

Diana L. Burley, Ph.D., a security expert and professor in the Graduate School of Education and Human Development at George Washington University, agreed. “We have to get out of the compliance mindset. We have to move away from security awareness and toward security engagement.”

Here’s how the change could work: Say you’re working on a spreadsheet that features sales information, reveals a potential business strategy or includes workers’ personal data. You might believe that your network prevents outsiders from seeing that document. That assumption is no longer valid. Now, that spreadsheet must be encrypted. In addition, it must be restricted so that only designated users can open or view it. And it can’t be downloaded onto your laptop, tablet or phone so that you can work on it from home.

Some organizations will need to inventory their documents and decide which ones to keep and how to protect them. Dort said that HR data “should be segregated on its own server with very limited access.” For each key document, he said, HR should ask: “How many people need that?”

“A lot of change has to happen,” observed Wright. “This is a cultural problem. It’s not a technical problem.” He said he fears that many company leaders will look at the Sony debacle and think that they won’t be victimized. “Until there is quantifiable pain, nothing is going to happen,” he stated. “Businesses have got to get serious about cybersecurity.”

“This is not something that should be bottled up in IT” but should involve the C suite and the board, said Levin. Organizations need “an entirely new corporate culture where security is part of the fabric of that culture.” He said many companies will need to designate a chief information security officer.

Stack said HR must help employees understand what information qualifies as sensitive and thereby build a “human firewall.” Regular training on the latest security procedures will be essential.

“It has to be the same level of urgency as a crew being trained on a submarine in missile drills,” said Levin.

“There is no guarantee that an organization will not be breached, even if they do everything right,” noted Burley. The best chance is through “continuing education of employees about proper protocols and ensuring that the procedures are followed.”

Steve Bates is a freelance writer in the Washington, D.C., area and a former writer and editor for SHRM.​​


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job

HR Professional Development Programs Right For You

Find SHRM Education Programs Across the U.S. and Virtually

Find SHRM Education Programs Across the U.S. and Virtually

Find a Seminar


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect