The world of “Game of Thrones” has been invaded, pillaged, and laid to waste, but not by any Dothraki invaders, incestuous Lannisters, or Night King. By hackers. Unscrupulous cyberattackers, presumably bearing a striking resemblance to Joffrey Baratheon, claim to have stolen 1.5 terabytes of information from HBO, including unreleased episodes and scripts of “Game of Thrones.”
HBO’s data breach doesn’t just threaten unmasking upcoming GoT episodes. It’s also an important reminder to attorneys that white walkers hackers are a real, inescapable threat and that any data breach could have significant legal implications.
The Lannisters Send Their Regards
As Cersei Lannister was killing her foes and Jon Snow was coming face-to-face with dragons Sunday night, hackers were busy distributing information taken in what appears to be a massive hack of HBO. On Sunday, hackers contacted reporters announcing that they had purloined some of HBO’s most prized information.
Hi to all mankind. The greatest leak of cyber space era is happening. What’s its name? Oh I forget to tell. Its HBO and Game of Thrones……!!!!!! You are lucky to be the first pioneers to witness and download the leak. Enjoy it & spread the words. Whoever spreads well, we will have an interview with him. HBO is falling.
The hackers claim to have taken 1.5 terabytes of data, according to Entertainment Weekly, which first reported the cyberattack. Already, unreleased episodes of HBO series “Ballers” and “Room 104” have been leaked online, along with the script for the upcoming episode of “Game of Thrones.”
In a statement, HBO confirmed that it had been hacked. “HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information,” the company said. “We immediately began investigating the incident and are working with law enforcement and outside cybersecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold.”
It’s unclear whether the hackers have video of unreleased GoT episodes or if they know who Jon Snow’s father really is. But spoilers aren’t HBO’s biggest problem here. As Gizmodo’s Adam Clark Estes notes:
The hackers in question claim to have stolen 1.5 terabytes of data from the company, a staggering quantity that could include not only unreleased episodes and scripts but also employee data and financial information. It’s unclear if this is the case, but the hackers appear to be leaking the data online slowly.
While the hack is perhaps the greatest spoiler of upcoming HBO episodes ever, it also feels a bit like a rerun. Several media companies have experienced similar data breaches in the recent past. In April, for example, a hack at Netflix resulted in the latest series of "Orange Is the New Black" being leaked before its release. In 2014, a hacking group leaked data from Sony Pictures, including sensitive personal and corporate information, internal emails, and insights into all those Adam Sandler films. That hack is thought to be connected to North Korea, as retaliation for Sony’s release of “The Interview,” a Seth Rogen film mocking Kim Jong-un. That hack cost an estimated $15 million in investigation and remediation costs, plus at least $20 million more to restore and upgrade financial and IT systems.
Data Breach Laws and Data Breach Lawsuits
If personal information was taken in the hack, it’s likely that state data breach laws could be triggered. Though there is no federal data breach notification law, there are a host of state laws that can apply in the wake of a cyberattack. Since California first adopted such data breach notification requirements in 2002, 47 other states have followed suit, creating a complicated tangle of notification requirements.
In most states, these laws are triggered when information such as Social Security numbers, driver license number, identification card numbers, credit & debit account numbers, or financial account login credentials is released. In such cases, affected organizations are typically required to send notices to customers or clients, alerting them of the breach and steps they can take to protect themselves.
State laws aren't the only statutes data breach victims need to be aware of, either. International laws could be triggered if PII was lost in a breach, as well. “Game of Thrones,” for example, is filmed primarily in Northern Ireland, with locations in Croatia, Iceland, Morocco, Spain, and even Malta. In the United Kingdom, a data breach triggers a complicated set of notification regulations, while in Croatia, failing to secure adequate security measures can be a misdemeanor.
Finally, there is the very real threat of litigation brought by those whose information may have been compromised. Following Sony’s hack, for example, at least four lawsuits were filed by Sony employees, who claimed that the company failed to adequately protect their private data.
Your Information Is Worth Much More Than an Episode of “Ballers”
The legal troubles that follow a data breach aren’t just something attorneys need to worry about on their clients’ behalf. These same consequences can threaten lawyers as well. Attorneys, after all, aren’t immune from data breach notification laws nor litigation over weak cybersecurity practices. Just last year, for example, a Chicago firm was sued by a client for malpractice after its security procedures allegedly put client information at risk.
While law firms may not have access to unreleased T.V. shows, they often have information that is much more valuable: trade secrets, insider financial information, sensitive communications and more. That information is inspiring more and more hackers to turn their attention to the legal industry. The Russian hacker Oleras has reportedly identified individual attorneys to phish, for example, based on their potential susceptibility—which, in this case, was also a measure of their perceived vanity. Last December, the Department of Justice indicted three Chinese nationals, accused of hacking into M&A firms and making millions trading on stolen insider information.
The discovery process itself can be particularly ripe for hacking. This is, after all, when attorneys not only gather up their clients’ most sensitive information, but then actively cull out the extraneous data, leaving only the most valuable documents behind. Hacks into discovery databases are “already happening,” according to Lael Andara, a litigation partner at Ropers Majeski in Silicon Valley. “We just haven't necessarily identified the hacks.”
Unlike the coming of winter to Westeros, such data breaches aren’t unavoidable. Systems that keep data encrypted both in motion and at rest can provide an important bulwark against hacks. Moving to a secure, cloud-based platform, too, can be a relatively easy way for firms to protect themselves and their information. Hosting sensitive documents in one centralized, protected hub, guarded by experts in security infrastructure, means fewer opportunities for data to be put at risk.
For those looking to protect against data breaches, there are a wide range of resources available. You can learn how the cloud can help secure your practice or download a white paper on safeguarding client information. You can also revisit Logikcull’s recent webinar on the future of law firm cybersecurity.
But if you want an advanced episode of “Game of Thrones,” well, you’ll have to find that yourself.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.
