5:25pm PT by Eriq Gardner
Sony Aims to Use Other Corporate Hacks to Fend Off Ex-Employee Class Action
It's no secret that hackers are a rising threat to the privacy of corporations and their employees. What's less appreciated is how every large-scale hack potentially makes it tougher to punish those responsible for maintaining a reasonable amount of security.
Case in point is the ongoing negligence lawsuit against Sony Pictures over what happened last winter. In June, a judge allowed the lawsuit to proceed, and the following month, the plaintiffs filed a motion for class certification. In those papers, several former employees of the company reported being victim to identify theft. One plaintiff discovered unauthorized credit cards opened in his name while two others found their personal information available for purchase on black market websites.
But was that because of the hack attributed to North Korea? Or was it because of data breaches connected to eBay, Home Depot and Target?
On Monday, in a newly unsealed opposition to class certification, Sony spells out the legal theory.
"Plaintiffs have no way to prove at a class trial, through generalized evidence common to the class as a whole, that any injuries to classmembers were caused by the SPE cyberattack," states the defendant.
As its first exhibit, Sony presents an expert report from Dr. Michael Turner, who writes that the increased risk of identity fraud depends on a number of factors including the amount of personal information exposed in the cyber attack, the age of the information exposed and the other sources of risk to which any individual is exposed. One appendix in his report is titled "Other Data Breaches That Have Exposed the Named Plaintiffs' PII."
Two plaintiffs potentially had information exposed through a breach on Anthem, a health insurance company, according to this appendix. Another through breaches upon Dropbox and Evernote. And most of the plaintiffs used credit cards at Home Depot or Target, which also were subject to hacks.
Sony is using the fact that it isn't alone to its advantage and telling the judge that each plaintiff will need to demonstrate the proximate cause of his or her injuries, possibly by comparing hacked information to what's been used in a particular identity fraud.
"To prove that any injury — or even risk of future injury — is attributable to the cyberattack, each classmember would have to show that this cyberattack, and not another event, caused any incident of identity fraud," argues the defendant. "That issue is individualized."
Sony says there are other elements that warrant individualized attention.
For example, it's pointing to the variability of how its former employees managed themselves online.
"Some Plaintiffs maintain active online presences, which means that much of the PII they claim was disclosed in the cyberattack already had voluntarily been made available online," says the opposition brief. "For example, while [Joshua] Forster complains that his title, place of work, and dates on which he joined and left SPE were disclosed, he acknowledges that he had posted that information to LinkedIn and thus could not be harmed by its disclosure. [Michael] Levine likewise admits that he has 'put a lot of [his] life online.' For him and others, a wide range of PII was available online prior to the attack."
Sony's newest brief (read in full here) comes after months of grueling depositions for the former employees. A sampling of some of the questions:
"Did you discuss or raise concerns about SPE's data security policies with anyone at SPE during the interview process for any of these employments?" asked Sony attorney Chris Casamassima to Levine.
"Did Sony Pictures' data security policies, practices, or procedures in any way affect your decision to continue working at Sony Pictures between 2000 and 2002?" Sony attorney Michael Bayer asked Christina Mathis.
"Is your age a secret?" Casamassima asked Ella Archibeque.
"And you put all of this detailed information about your jobs at SPE on the Internet before the November 2014 cyber attack, correct?" Sony attorney Drew Dulberg asked Forster.
"It was your opinion that setting up a pin and changing the password was sufficient; correct?" Sony attorney Cari Laufenberg asked Michael Corona.
Some former employees were given a chance to explain why they were suing and even whether they'd ever work for Sony again.
According to Archibeque: "Because I feel that they've mishandled my personal information along with everybody else's, and they were slow in responding — well, they failed to respond to any inquiries about the safety of my personal information or anyone else's."