On November 24, 2014, Sony Pictures Entertainment became aware that its company's computer systems had been hacked by a group known as the "Guardians of Peace." In the following weeks, Sony had five of its movies (four of which had not yet been released in theaters) uploaded to file-sharing websites, personal emails from company executives criticizing public figures published, and the confidential medical records of employees released, Additionally, the company received a terror threat surrounding the premiere of The Interview, starring James Franco and Seth Rogen. 

Subsequently, Sony cancelled the release of The Interview. (At the time of this writing, the hack has been linked to North Korea, whose government disapproved of the films ending). The full extent of the confidential and personal information obtained about Sony employees is unknown. A full timeline of the hack's aftermath can be found here.

Sony Pictures Entertainment's security breach highlights the increasing importance of a business' cyber security in today's world. Such a cyber attack exposes a business to immense liability concerns. In fact, a class action lawsuit has already been filed on behalf of 15,000 Sony employees who had private information (such as social security numbers) released. A particularly scathing IT assessment conducted by Sony several months prior to the hacking is likely to play a central role in that litigation, as it is arguably evidence of the company's knowledge of cyber security weaknesses. So what can businesses do to protect themselves against some of the legal backlash from such attacks?

1. Have a cyber security system- It goes without saying, but having some cyber security system in place is better than no system at all. Ideally, the system's strength will be directly proportionate to the sensitivity of the information the business stores. That is why certain industries (like the financial and medical industries) have statutory security  measures which must be complied with. Simply put, Congress did not want to allow businesses in those industries to cut corners, as complex cyber security systems can be expensive. Aside from those industries, most businesses hold sensitive information such as credit card data which must be secured. Last year, Target was hacked and some 40,000,000 customers' credit card information were stolen. By having a system in place in the event of a security breach and subsequent lawsuit, a business can argue that it took reasonably necessary measures to secure its sensitive data in order to limit or avoid liability. 
2. Routinely test the cyber security system- This goes hand in hand with the first point, because what good is having a cyber security system if it becomes ineffective. Unfortunately, it can happen. As hardware and software are updated, as they should be regularly, vulnerabilities can become exposed which were once previously hidden. Therefore, its imperative for a business to test its cyber security system regularly. Failure to do so may constitute evidence of not taking the reasonably necessary measures to protect sensitive information.
3. Determine the length of time that sensitive data will be stored- Sensitive data doesn't need to be held on to forever.  Some industries, particularly finance, are regulated in terms of how long they must retain specific data. Understandably, many businesses  in other industries retain some data for client convenience (i.e. saved credit card information). However, any stored sensitive data is also a potential liability. A business should weigh its liability risk for retaining certain data with the data's necessity. 
4. Disclose the breach- The vast majority of states require that a business disclose a security breach that involves the loss of personally identifiable information (social security numbers, drivers license info, etc.). From a legal standpoint, once a business has such a security breach, one of the worst things it can do is not disclose the breach to the mandated entity/agency/persons. This may include disclosure to more than just the persons potentially affected by the breach. By failing to disclose the breach, a business is statutorily incurring liability in addition to its existing and potentially large amount of liability resulting from the breach. Take a look at this site for links to the 47 State security breach disclosure laws.

Following these four suggestions will aid a business in limiting its liability should a security breach occur. Hopefully, your business is never breached like Sony Pictures Entertainment was.

Recently, strong allegations have surfaced that esports is suffering from a performance enhancing drug ("PED") use problem. These PEDs are not the steroids and human growth hormones of other sports, but are instead neuroenhancers. 

These kinds of drugs (Adderall, Ritalin, Selegiline, etc.) are known as "smart drugs" due to their abilities to enhance focus, calmness, and act as stimulants, which debatably enhance performance in professional gaming. Although there appears to be much confusion as to whether such neuroenhancers are banned from professional gaming (a quick Google search reveals many questions on the topic and few actual answers), if it is banned, there appears to be little enforcement as noted in the link above. 

Irrespective of neuroenhancers' status as potentially banned substances in professional gaming, utilizing such substances can have an impact upon a player's/team's existing sponsorship agreements.

As I noted previously, sponsorship agreements generally contain morals clauses. A morals clause allows a sponsor the opportunity to cancel a sponsorship should the athlete or team act in a way that is harmful or damaging to the sponsoring brand. In other words, morals clauses allow sponsors a means of exiting a sponsorship agreement with an athlete engaged in a scandal or otherwise illegal activity. 

The use of neuroenhancers in pro-gaming, regardless of whether the substance is banned, can trigger a sponsorship's morals clause  in several ways:

• The athlete does not have a prescription for said neuroenhancer, which is likely a criminal offense
• The athlete illegally obtains a prescription, which is criminal
• The athlete legally obtains a prescription which the athlete uses illicitly 
• The athlete legally obtains a prescription and distributes the neuroenhancers to other athletes, which is criminal 

Any of the above reasons, which certainly is not an exhaustive list, could also be the cause of a scandal within the sport. Although scandals could be sufficient to independently trigger a morals clause, when combined with any of the above points, a scandal makes it much more likely.

Similarly, a team sponsorship may be impacted by a team member's use of neuroenhancers. Depending on how the morals clause is written, a single team member's actions may be sufficient to trigger the morals clause and permit the sponsor to cancel the sponsorship agreement. 

As the esports industry determines methods for curbing its PED problem, teams should keep in mind that any PED use can impact the sponsorships that they have worked hard to obtain. No team would want to lose its sponsor because a morals clause was triggered in an effort to perhaps gain a competitive advantage. Even worse, future sponsors may be hesitant to sponsor a player and/or their team due to past PED use.