4 Contract Management Lessons from the Sony Hack

The December 2014 hack of Sony Pictures made big headlines. However, it would be a mistake to focus on the snarky remarks from Sony executives about stars, such as Angelina Jolie, George Clooney, or Adam Sandler.

While the contents of the hacked Sony servers will surely be fodder for gossip magazines for many months to come, the focus should be on the red-flashing warning signals, particularly in contract management, for corporate America. Here are the top four contract management lessons from the Sony hack.

1. Email Isn’t Safe Storage

The main takeaway from this corporate hack is the importance of proper email use within enterprises. According to the Verizon 2014 Data Breach Investigations Report, about 78% of cyber espionage malware get inside corporations as an email attachment.

The source of the most sensitive information wasn’t found on encrypted documents or password-protected files. It was plain, simple emails or simple text emails with attachments. The hackers got a hold of so much email data, that the site WikiLeaks was able to create a keyword search tool that allows you to precisely find information.

Drill into the minds of your employees that if any information is too sensitive if it were to fall in the hands of hackers, then that information needs to be stored in the proper place and deleted from email accounts.

2. Destruction of Leaked Material Isn’t Always Possible

In the case of Sony, contracts with actors and directors, unreleased films and scripts, and other types of valuable information were readily available as attachments in corporate email accounts. Sony has been working hard with attorneys in requesting the destruction of hacked material that has appeared on several sites, ranging from Bloomberg Businessweek to The Hollywood Reporter.

However, Sony may be out of luck. Eugene Volokh, a First Amendment scholar at UCLA, states that publishing an entire, unreleased work, such as the script for the new James Bond movie, Spectre, would be considered copyright infringement; cherry picking quotes from a leaked email wouldn’t. It’s part of the job of media outlets to report on matters of public interest. Therefore, it’s important to remember this when a board doesn’t want to approve budget for protecting your contract management data.

3. Legal Liability to Protect Contract Information

On the other hand, former Sony employees do have a legal leg to stand on. Four former employees from Sony Pictures Entertainment filed a lawsuit against Sony claiming that the company didn’t do enough to prevent hackers from stealing nearly 50,000 social security numbers, salary details and other personal information from current and former workers.

Some states, including California, have specific laws meant to protect sensitive financial and medical information. If your enterprise can’t show that it took appropriate measures to protect such data, then your enterprise may become legally liable for hacks.

This is why it’s a worthwhile investment to use contract management software that takes proactive steps to prepare audit reports and demonstrates care in handling sensitive information.

4. Create Layers Sensitive Data

Two data practices from Sony are quite scary:

  • Sony kept 601 different files lying around with a total of 1.1 million social security numbers. That means that hackers had 601 different chances to gather SSN. Even worse, enough information has been released about 15,231 employees and contractors that anybody could open bank accounts, credit cards and claim tax refunds in their names.
  • Sony employees stored sensitive information, such as publicity bibles on actors and passwords, in documents with titles that make it obvious what they include.

While cloud storage does have its benefits, it’s also important to isolate sensitive information in servers that aren’t connected to the Internet. The more layers that you can create between your data and hackers, the more protected that you are.


The main contract management lessons from the Sony hack are the danger of using email as storage for contract data and files, the low chance to take down leaked data from media outlasts, the legal liability to protect sensitive information, and the importance of creating layers for your sensitive data.