Sony still paying for the hack

The Sony hack two years ago is still costing Sony money.

An article in the Hollywood Reporter notes that Sony has paid $millions already:

"After the hack, Sony has faced several lawsuits over failure to safeguard private data and most notably settled a class action from former employees in a deal worth somewhere between $5.5 million to $8 million."

That is on top of the substantial costs directly incurred in or caused by the incident, including the loss of business, inability for Sony Pictures Entertainment to operate for several weeks, penalties from the authorities due to its problems filing financial results on time, and of course the incident investigation and actions arising, clearing-up the mess.

Possibility Pictures is now claiming compensation for the loss of revenue on one of its films that Sony was supposed to be distributing. "To write love on her arms" was one of five films stolen in the hack and released onto the Internet as part of the incident. Possibility Pictures claims that Sony breached its obligation under an anti-piracy clause in their agreement due to the "entirely forseeable and avoidable failure of internal security".

'Entirely forseeable' is an interesting turn of phrase. It's not too hard for Sony to figure out what went wrong with the benefit of 20/20 hindsight, after the fact, but to claim that it was 'entirely forseeable' implies that Sony was blind to the possibility before the fact. It seems to me this was an audacious hack, unique in terms of its scale and the media coverage, so is it reasonable to expect Sony to have foreseen it? I guess that is one of many questions that will be argued out in court (if it gets that far). It's a fascinating example of information risk management.