Risk Insider: Hala Helm

Sony Incident Highlights Risk Struggles

By: | December 30, 2014

Hala Helm is Chief Risk Officer for the Palo Alto Foundation Medical Group where she is responsible for the development and maintenance of the overall risk management program. She holds a JD, MBA, and numerous professional health care and risk management certifications. She can be reached at [email protected].

The Sony hacking incident and its aftermath has many people talking about risk — North Korea, Sony, Hollywood actors, movie theater executives, even the president.

The issues under discussion, while extreme, highlight the risk calculus that business leaders must make every day, often without even realizing they are doing so.

There are two distinct risk issues at play in this issue: data security and freedom of speech.

The two have been confused in media reports, but presumably North Korea’s government would have found the subject matter of the movie, “The Interview,” offensive and objectionable even if it had been distributed through normal channels without first being leaked.

Data security is an issue that all businesses struggle with.

Despite advancing technology and our best efforts internally, data breaches across a wide spectrum of entities including entertainment, health care, banking and financial, and even the U.S. government have proven that ‘perfect’ data security is an ideal to strive for, but not necessarily a reality.

Business leaders must understand their vulnerabilities with respect to data security and takes steps to mitigate the associated risk. Network security audits and cyber liability coverage are a good start, but our risk analysis needs to go deeper than that.

A truly comprehensive risk assessment includes recognition of what a data security failure can mean to an organization in terms of financial impact, business interruption, and loss of goodwill.

It seems likely that future employee security training at Sony will include examples of appropriate and inappropriate email communications, among other things. We should all internalize that message and incorporate it in our employee training, or risk being the next media example of “what not to say in an email.”

The issue of risk in free speech, while more esoteric, is also perhaps more interesting.

The United States enjoys wide latitude in the ability to discuss, criticize, or even outright mock its public officials and government leaders. Indeed, public figures in the U.S. have less protection than private individuals, even in the face of ”vehement, caustic and sometimes unpleasantly sharp attacks.”  (Hustler Magazine, Inc. v. Falwell, 485 U.S. 46 (1988)).

By applying that same standard to others outside the U.S., however — where laws and culture may not be as permissive — we risk giving offense.

Leaders at Sony apparently understood this risk and were willing to accept it, but perhaps did not fully analyze or appreciate the implications of that risk to other stakeholders; including distributions channels, theaters, movie viewers, or even the general population.

Major movie houses pulled out of distribution, unwilling to risk the liability associated with the threatened mass disasters, which seems a reasonable response under the circumstances.

Smaller, independent theaters, possibly less burdened with deep pockets and corporate attorneys, had a greater appetite for risk and the associated reward.

Ultimately, Sony decided on a risk distribution strategy of releasing the film as streaming video and putting the decision in the hands of the end users — avoiding the creation of obvious targets for retaliation while answering the calls for freedom of speech.

Perhaps that was the best solution under the circumstances.

Read all of Hala Helm’s Risk Insider articles.

More from Risk & Insurance