CDSA Releases First TV, Film Cybersecurity Guidelines

The Content Delivery and Security Association (CDSA), which advocates for protection of media content, has issued its first TV and film security, notably cybersecurity, guidelines for everything from how to deal with data breaches to keeping costumes and props within the production "perimeter."

The guidelines are billed as a must-have for any producer or crew member who needs to secure their intellectual property "on-set, near-set or on-location."

North Korea famously hacked into Sony Pictures Entertainment computers in 2014 and stole massive amounts of data in an effort to get Sony to kill its film, The Interview, about the assassination of North Korea's leader.

Recent Hollywood history is also peppered with purloined copies of as-yet-unreleased films and TV shows that make it onto the internet. For example, Security Week reported in 2017 that a hacker group had stolen and leaked unreleased episodes of Netflix's Orange Is the New Black from a post-production house, then upped the ante by seeking payment in exchange for not leaking shows it stole from producers or post-production houses.

There are 100 pages of guidelines as well as an executive summary (itself 28 pages) and a security checklist.

For example, there is an "if you see something, don't say something" and "if you say something, don't also tweet it" advisory about social media.

"Personal experiences, opinions and information related to pre-release content and related project activities including shooting location, plot points, spoilers etc. should not be shared to any social media platform, e.g. Facebook, IMDB, YouTube, or Instagram," say the guidelines, "[as well as] personal sharing platforms such as personal Dropbox, iCloud or Smugmug, etc. Personal experiences that occur within a restricted area such as on the set, in the editing room, in the art department may not be shared, no photos from anytime at work should be shared, personal photography within restricted areas is not allowed and may not be shared."

The guidelines are the 18-month work product of executives from Amazon Studios, Amblin Entertainment, AMC, Bad Robot, BBC, Fox, Paramount, Marvel, Netflix, NBCUniversal, Turner, Walt Disney Studios and Warner Bros. with input from the Producers Guild of America.

The goal of the guidelines, according to that working group, is to "create an industry security standard for preventing and otherwise defending against the unauthorized or unintentional access to intellectual property in this era of evolving security threats, particularly cyber threats, which requires technical controls and effective security management processes."

The other goal is to make all that info applicable across different productions and producers while providing flexibility in implementation.

Understanding its "target audience," the group says it does not expect producers or crew will necessarily read the guidelines "cover-to-cover," so it recommends creating a security team of members of all departments and require them to read the guidelines cover-to-cover.

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.