Streaming services, including premier platforms like Netflix, as well as smaller platforms like Crunchyroll, continue to face cybersecurity risks on multiple fronts. In recent years, streaming services have combatted many common types of attacks, such as credential stuffing (where threat actors use compromised credentials to try to get into user accounts) and bot attacks (where threat actors use automated scripts to disrupt a site, steal data, or commit fraudulent transactions). When threat actors gain access to streaming services’ systems, not only is the personal data of customers and employees at risk of exposure, but highly valuable intellectual property (IP) is too.
Compared to more familiar cybercrimes, such as the theft of personal data like credit card information, health data, or Social Security numbers, cyber theft of IP assets tends to receive less publicity. In part, this is likely because various legal requirements mandate companies to provide notice of data breaches impacting personal data, whereas IP breaches do not always require notification to regulatory authorities. As a consequence, discussions about the impact of cyberattacks tend to focus on breaches involving personal information. However, IP breaches can be just as impactful to an organization—resulting in costs associated with the lost value of the IP, business disruption, reputational damage, cybersecurity remediation, and insurance premium increases, to name a few.
The Netflix IP Breach
The most prominent example of an attack aimed at stealing intellectual property occurred recently. In August 2024, one of Netflix’s post-production partners experienced a security breach resulting in leaked footage of several unreleased Netflix TV shows and movies. It is suspected that this partner performed subtitling, translation, and language dubbing services for Netflix. Other streaming services were also affected by the leak, including Sony-owned Crunchyroll, which offers anime and other Japanese entertainment.
The Risks of IP Theft and Breaches
While the financial impact of the Netflix IP breach is yet to be seen because IP can constitute a significant portion of a company’s value, the monetary risks of IP theft and breaches can be significant. This is especially true for a company like Netflix, whose entire business is built on streaming digital content.
Beyond theft of copyrighted material (as occurred in the Netflix breach), other types of IP that are attractive to threat actors include proprietary algorithms, software code, and other kinds of trade secrets. Breaches can also expose proprietary business information companies may not wish to disclose, such as plans to engage in M&A activity.
Streaming services should also be aware of the risks of ransomware attacks where IP is stolen and the malicious actor could threaten to expose that information—for instance, valuable content (e.g., the finale of a popular TV series) could be distributed unless a ransom is paid.
Compounding these risks for streaming services that are public companies, a breach that affects IP in a way that materially damages the financial position or reputation of the company could require reporting to stockholders and the U.S. Securities and Exchange Commission (SEC) under the new SEC cybersecurity rules.
How Streaming Services (and All Companies) Should Approach Protection of IP
Companies can certainly pursue actions against an entity that illegally distributes content protected under copyright law or commits other types of IP theft. However, in addition to aggressively pursuing bad actors, companies should also be taking steps to ensure that their IP is protected in the same way that personal data or any other critical asset is protected.
This particular breach serves as a reminder that companies should: (1) ensure that appropriate security measures are in place to protect their IP; (2) account for IP in their data security and incident response programs; and (3) maintain robust vendor due diligence and monitoring programs to ensure that their vendors are applying the appropriate levels of protection to IP they maintain and other confidential materials.
Cybersecurity for IP Protection
While many regulations require the protection of personal information, few provide guardrails for protecting company IP. Nevertheless, companies should treat the environments that house their IP as the “crown jewels.” Alignment with industry standards, such as the International Organization for Standardization (ISO) 27001 or the National Institute of Standards and Technology (NIST) standard, is a common approach. Regardless of the standard a company relies on, minimum security measures should be implemented to, for example, control access to IP to only those who need to know or view it, scan the environment for and patch vulnerabilities, enforce multifactor authentication, and encrypt data at rest and in transit.
Incident Response
Most companies have incident response policies, but often the focus is on whether personal information was affected. Companies’ incident response teams should be aware of the systems where IP is stored and have in place processes to detect intrusions to or misuse of those systems, as well as escalation criteria to alert legal and other senior stakeholders if a company’s IP assets have been compromised.
Public companies should be aware of the requirements to report incidents to the SEC if the impact of IP theft is material as defined in the SEC cybersecurity rules. Because of the potential risks to the reputation and financial health of a company, if IP is exposed, this should be a standard part of a company’s incident response plan and escalation procedure.
Vendors’ Protection of IP
This incident also brings to the forefront the importance of vetting vendors’ privacy and security practices. Reasonable vendor due diligence can help companies not only avoid doing business with ill-prepared or unsophisticated vendors but also mitigate against regulatory risk in the event a vendor is accused of violating privacy or security laws.
Vendor management is a two-part process: (1) pre-engagement vendor due diligence; and (2) ongoing vendor monitoring. Establishing that a vendor’s privacy and security practices are sufficient in the first instance is often orchestrated by a questionnaire containing inquiries regarding the vendor’s privacy and security posture. Companies can then monitor vendors’ ongoing activities by asking them to update and verify their questionnaire responses on a scheduled basis, upon contract renewal, or—in some cases—to submit to regular audits.
In addition to preventative due diligence, companies should protect themselves contractually by including terms regarding their liability vis-à-vis the vendor. These terms should, broadly speaking, (1) obligate the vendor to sufficient confidentiality, privacy, and security obligations with respect to company data (which includes personal data and IP); (2) require the vendor to expeditiously notify the company of any breach that may impact company data; and (3) require the vendor to indemnify the company for any losses arising from any breach caused by the vendor or its representatives.
Takeaways
This latest data breach affecting Netflix’s postproduction vendor should serve as a reminder to streaming services—and all companies—to shore up the protection of intellectual property both in their possession and in the possession of their service providers. Although it is easy to focus on the risks associated with exposure to personal data, leaks of intellectual property come with their own costly consequences that should be accounted for as companies implement security and incident response programs.