I. The Cases
a. HBGary
HBGary was a computer security firm founded in 2003 by Greg Hoglund. Hoglund later HBGary set up an affiliated company known as HBGary Federal which focused mainly on providing computer security services and consulting to the federal government. In 2010, the CEO of HBGary Federal, Aaron Barr bragged that he had “penetrated” the hacker collective Anonymous and had the capability to helped government agencies like the FBI find and identify members of their network (Anderson, 2011). An Anonymous affliated hacking group known as Lulzsec responded to Barr’s claims by hacking into the HBGary website and downloading thousands of HGGary and HBGary Federal internal documents. The privacy implications of the hack were that not only was Lulzsec able to gain access to both company’s e-mails and confidential information including communications with third parties such as Bank of America and the law firm of Hunton & Willimas, but must of that information was posted them online for the world to read.
b. Sony Pictures Entertainment
The hardware and entertainment company Sony is no stranger to attempted to breach its security. However, the security breach that occurred in late November 2014, was nothing like they ever encountered. In response to Sony’s decision to run the film “The Interview”, a formally unknown hacking group known as the Guardians of Peace, hacked into the data servers of Sony Pictures Entertainment and stole an unconfirmed but definitely substantial amount of internal company information including movies, scripts and other programming content (Seal, 2015). As in the HBGary hack, the privacy implications of the privacy implications of the attack were significant if not much more substantial. Again not only did the Guardians of Peace obtain e-mails between top Sony executives candidly commenting on a broad range of issues including President Obama but also between Sony leaders and some of Hollywood’s biggest names. In addition, stolen information also included the salary sheets and check receipts of Sony employees, and well as the social security numbers, medical information, financial data, and other personally identifiable information of thousands of Sony employees and contractors.
II. The Analysis
While both cases are not the type that are normal used to discuss the tension between security and privacy, upon deeper consideration, they illustrate the increasingly likely circumstances were the debate will be argued namely in the private sector. This is so because, the majority of a people online information is not held by the state but by private companies. Unlike a government entity which people have some semblance of protection via the Constitution; most private privacy protections are whatever is included in a company’s privacy policy, and security is based on whatever cybersecurity statutes that might exist in the jurisdiction (Solove et al., 2005). In essence, the traditional question of security and privacy is flipped to mean how much security should a private firm be required to protect the substantial amounts of private information that I voluntarily provide to them in order to use their services.
On the one hand, in the case of HBGary Federal, as a computer security firm, the implication would be that it had the necessary skills and took the necessary precautions to ensure that it at least could protect itself from attack from a group that it said it could control. An additional implication would be that it would take the necessary steps to protect, if it was hacked, the privacy of its clients and people that it is communicating with about computer security business. On the other hand, in the case of Sony, while its primary focus was not computer security like HBGary Federal, as one of the top companies in the world, with not only an extensive footprint in technology but also the subject to numerous cyber-attacks, it should have known, especially after the Guardian of Peace, threatened that they would attack it, that it might be attacked and therefore taken the necessary precautions to protect their employees and client’s private information (Seal, 2015).
In either case, because clients and staff either voluntarily or as a necessity gave allowed their personal and private information to be disclosed to HBGary and Sony, the need for privacy is always the first priority. The only exception would be if the government needed to access a client’s private information, such as during the investigation of the incidents. Only in these circumstances might the need for security be stronger than the client’s need to protect their privacy.
In both cases, the information was under private control. Interestingly, it might have been better if the information was under public control because at least in that way there would be a definite legal remedy to the exposure. As the circumstances stand, customers may only have a cause of action in common law tort. Nevertheless, it is most likely that people and organizations will continue to voluntarily provide private companies with their private information with only the hope that the company will provide the necessary protection for it. This will occur, because in order to benefit from the multitude of services being offered online, one’s personal information is necessary. This is especially true if the product is for free. Still, some companies such as Apple and Google, are making the protection of customer’s privacy a priority. They see to achieve this through automatic encryption. This would not only help protect the customer’s privacy but, as some explain, increase the company’s security.
References
Anderson, N. (2011, Feb. 10). How one man tracked down Anonymous – and paid a heavy price. Retrieved from http://www.arstechnica.com/tech-policy/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price/3/
Seal, M. (2015, Feb. 28). An exclusive look at Sony’s hacking saga. Retrieved from http://www.vanityfair.com/hollywood/2015/02/sony-hacking-seth-rogen-evan-goldberg
Solove, D.J., Rotenberg, M., Schwartz, P.M. (2005). Information Privacy Law, 2nd Ed. New York, NY: Aspen Publishers.