Leaks in the video games industry are all too common nowadays, and companies are taking ever more direct action against those involved.
Just this week, Activision has subpoenaed Reddit to identify the users who leaked the upcoming Call of Duty battle royale. Meanwhile, Nintendo recently blacklisted an outlet for leaking details about Pokémon Sword and Pokémon Shield ahead of its release date.
While this is particularly unfortunate for the latter site, a much better outcome for Nintendo and Activision would have been no leaks at all. When it comes to preventing leaks, some factors are out of companies' control, but certain steps can be taken to minimize the risk.
The first step internally is to have anyone who has pre-public access sign a non-disclosure agreement. Richard Hoeg, an attorney at The Hoeg Law Firm, lays out what is helpful to include in an NDA.
"Have a good regime of enforceable contract language that explains what information is being handed over, what the recipient of that information can and cannot do with it, and which includes a specific promise on the part of the recipient that it will be kept confidential," Hoeg says.
Michael Lee, founding partner at Lee Law, adds: "Companies can include a liquidated damages provision which requires the payment of a set amount if there is a breach. Also, including a clause that states attorneys' fees can be awarded to the victor in case of a breach of an NDA provides a good deterrence."
External measures can also be taken. Keith Cooper, a partner at Morrison Rothman, recommends using third-party testers to play the game and provide feedback, and utilizing a Terms of Service (ToS) agreement. When third-party testers acknowledge the ToS, they understand and agree that some information is confidential.
Hoeg adds: "Make sure that you have vetted your testers, the recipients of such information, and that you take what logistical steps you can take as a company to prevent the dissemination of such information in breach of your contract."
Reducing The Risk
Even if a company takes every precaution, a leak can still happen. If it does, then being able to show the steps taken to prevent it is essential in a legal battle.
Lee says: "While it is true that these agreements cannot always prevent illegal conduct, they do at least establish that specific actions were indeed taken by the company to do their best at preventing it, which is a vital element to a company's argument."
"Leakers will be deterred only when they understand there could be real world consequences to their actions"
Keith Cooper, Morrison Rothman
Hoeg notes that the best place to prevent leaks from happening starts with the games companies themselves, adding: "The better they are able to keep sensitive information to themselves, the better [off] they will be."
In the case of one recent high-profile leak, the PlayStation Store had listed a demo for the upcoming Final Fantasy VII Remake. The internet was made aware of the demo's existence prior to its supposed public launch when an official image of it was posted on Gamstat, a public depository for updates to PlayStation Network's newest products. Hoeg describes Gamstat as an API scraper, and some people may inevitably question its legality.
"It might be [legal] or it might not be depending on how it was done and a whole host of other factors," says Hoeg. "From the company's point of view, though, it probably doesn't matter, because such folks will exist regardless and they need to keep that in mind when they are deciding on what to upload and when."
Another example was when 2K launched an investigation into YouTuber SupMatto over possible leaks for Borderlands 3. Hoeg suspects that SupMatto's main point of entry of obtaining Borderlands 3 information was through 2K, as the company accidentally included test account names in its promotional material, while 2K claimed a hack must have occured. If the former is true, just like Square Enix and the Final Fantasy VII Remake leaks, it was the company's negligence that led to the leaks being able to happen at all.
In order to prevent accidental leaks like these from happening, Lee says that companies need to take the initiative and establish a well-constructed security mechanism for their products, such as an End User Licensing Agreement (EULA). "Game companies must demonstrate a clear and concise showing of prohibiting this type of behavior from its users or others," he says.
Cooper points out how this is a modern day problem, as companies want to make the game data available for Early Access and beta testing. Prior to the widespread adoption of digital distribution, data mining wasn't really a problem because consumers had to wait for the release of completed games on disks. As such, there were no risks of data mining.
He also adds that, nowadays, data mining isn't generally an issue on platforms like PlayStation or Xbox: "The problem arises more on PC, where data files may be publicly exposed, often prior to the game's official release. Thus, the only way to prevent data mining is for companies to refrain from prematurely releasing the data on PC."
Hoeg also comments on how the games press may play an important part, as websites such as IGN, GameSpot, and GamesIndustry.biz report on the fallout of these incidents.
"If you do have a breach, you may well have to 'present' that you are willing to sue on that breach," he says. "Not to prevent what just happened, but to act as a signal to the next person that might be thinking of breaching their NDA."
Cooper agrees that, as aggressive as these lawsuits may be, publicizing the issue could ward off future violators. He adds: "While I am in no way advocating for doing this, leakers will be deterred only when they understand there could be real world consequences to their actions."
When going after various leakers of Pokémon Sword and Shield, The Pokémon Company was given permission to subpoena the identities of Discord and 4Chan users who allegedly leaked details.
"Typically, courts look at what immediate harms were caused by a leak"
Michael Lee, Lee Law
Hoeg comments on how the publicity of the issue was the most important part, arguing: "It is unclear whether Nintendo is even capable of identifying the leakers. Like the Final Fantasy VII Remake leak, [The Pokémon Company] does not appear to have had a direct contractual relationship with the leakers -- although that [part] is unclear, which is why they have to bring a claim based on tort rather than contractual breach."
Another issue is measuring the damage that could be caused by a leak. Lee and Cooper acknowledge that trying to accurately determine factors such as lost sales or other harm pre-release may be speculative, and in some cases impossible. Lee suggests measuring the time between the game's anticipated release and when the actual leak occurred.
"By having this information, the company can establish a timeline to better estimate the severity of other factors," he continues. "Including but not limited to: general audience reaction to the product, glitches or other software issues, and any net revenue that may have been lost due to a decline in interest prior to purchase.
"Typically, courts look at what immediate harms were caused by a leak, and what potential harms could develop in the future if a remedy is not available to the company."
The Pokémon Company's lawsuit noted that the leak caused "irreparable injury" to the company and that it is "entitled to damages in an amount to be proven at trial." Cooper briefly elaborates on both points: "What the contract can also do is include a provision where the parties agree that any leaks or information disclosure will cause 'irreparable injury,' which is another way of saying the harm will include something more than monetary damages, and the conduct can therefore be deterred through a restraining order, injunction or other restraint on conduct.
"Otherwise, the breach of contract complaint itself will specify that the Plaintiff is seeking damages 'in an amount to be proven at trial', at which time the company would try to demonstrate actual monetary harm in whatever amount they can prove, such as if they can prove actual lost sales or damage to reputation and so on."
If the defendant was bound to an NDA or ToS, the contract will include what are known as liquidated damages, which basically anticipates the monetary harm if a leak were to happen. However, Cooper clarifies that a contract cannot have punitive damages, saying: "Contract damages must be actual damages, like harm caused, and not include amounts to punish the defendant."
"With the skill and anonymity of folks on the internet, this is a battle companies are going to be in for a very long time"
Rick Hoeg, Hoeg Law
An example of this may lie in Epic Games' lawsuit against a Fortnite Chapter 2 leaker. Epic Games claims that the leaker, Lucas Johnston, violated his NDA and the company now wants damages of over $85,000.
"In the case of Fortnite, the NDA itself could have had a liquidated damages provision, or they could have calculated that it would cost X amount of sales they had expected when everyone was 'surprised'," explains Hoeg.
Lastly, there's the question of whether a company should respond publicly to leaks. Lee suggests there is merit in doing so: "One could make the argument that providing a public response would be advantageous for the company, should litigation ensue with the misappropriating party. It would provide some insight as to the type of injury that was sustained by the company and how the leak affected their overall success and profit."
Addressing leaks is also a way to manage customer expectations. Cooper notes that leaked information is very often incorrect or outdated.
"[This] can have a detrimental impact where the leak includes early alpha footage that is not representative of the gameplay," he says, "or where the leaks describe or criticize a game that is not complete and does not include all the intended features."
A very recent example is the leaked footage of Godfall. On Twitter, Gearbox confirmed that the footage that was being spread around was one-year-old PC footage as part of an internal presentation.
"It appears that they wanted to make clear that what folks were seeing was old, primarily to assuage any complaints that people might have," says Hoeg.
Cooper mentions that whether or not to respond is a judgment call, as some companies can enjoy the buzz from a leak. Companies can also benefit from feedback from the leak to address various issues or even add in new features.
"Overall, therefore, responding to leaks is probably best reserved for those cases where the company foresees actual harm resulting from the leaks," he says.
Hoeg emphasizes one point above all else: that the contracts and the law are much better suited for punishing rather than preventing. In order to prevent leaks from happening in the first place, it must start and stop with the companies themselves.
He says that companies use punishment to get the "next guy" to think twice. In the case of the Pokémon leak, Hoeg notes there was "probably very little to be gained from an all-out legal blitz against [FNintendo]."
"[That's] why you are seeing the public statement from Nintendo now, but if they wanted to make life difficult for the site, they could."
However, if leakers don't learn their lessons, then the companies are back where they started. Hoeg concludes: "With the skill and anonymity of some of these folks on the internet, that is a battle these companies are going to be in for a very, very long time."