9:37am PT by Eriq Gardner
Sony Demands Dismissal of Hack Lawsuits From Ex-Employees (Exclusive)
On Monday, Sony Pictures offered its first substantive response to the many lawsuits that have been filed by former employees in the wake of a large-scale hack.
Facing eight proposed class action lawsuits aiming to inspect the security measures it took in advance of the hack, Sony has filed motions to dismiss in each of them. According to Sony's papers, the defendants can't support their various claims because they haven't alleged any concrete injury.
Sony points to word that the cyber-attack was "massive and unprecedented," attributed to North Korea. The result of the hack was the exposure of personal employee information such as social security numbers, account routing information and medical records.
But what's missing from the allegations, continues Sony, is why the plaintiffs have standing to sue.
"There are no allegations of identity theft, no allegations of fraudulent charges, and no allegations of misappropriation of medical information," says Sony in response to the first lawsuit that was filed against the company by Michael Corona, who says he worked at the company from 2004 to 2007, and Christina Mathis, who says she worked at the company between 2000 and 2002. "Instead, the plaintiffs assert a broad range of common-law and statutory causes of action based on their alleged fear of an increased risk of future harm, as well as expenses they claim to have incurred to prevent that future harm."
Represented by attorneys at Wilmer Cutler, Sony says the lawsuits fall short of basic requirements that a plaintiff suffer some "concrete and particularized injury before" filing suit.
"While all of the plaintiffs’ claims share this overarching flaw, each is deficient in its own right," says Sony.
The many employees who have brought lawsuits — including Joshua Forster, Ella Carline Archibeque, Michael Levine, Marcela Bailey and Steven Shapiro — have come up with various legal theories on how to hold Sony accountable for what happened. They range from negligence and violation of California’s law protecting medical information to slippier accusations such as the unauthorized transfer of property from one entity to another. Most of the lawsuits seek millions of dollars in damages plus relief such as ordering Sony to pay for identity theft services for its ex-employees.
A taste of what the plaintiffs are alleging comes from Corona's lawsuit.
In mid-December, he filed a complaint that painted the portrait of an "epic nightmare, much better suited to a cinematic thriller than to real life, unfolding in slow motion for Sony’s current and former employees," further alleging that Sony failed to secure its computer systems and subsequently failed to timely protect confidential information.
With information from the hack itself as well as computer security analysts who have slammed Sony for lax procedures, the lawsuits have attempted to point to things that Sony could have done to prevent the huge breach by a group calling itself the Guardians of Peace.
The theoretical isn't sufficient, answers Sony.
"The plaintiff here alleges neither physical injury nor damage to property," writes Sony in response to a lawsuit by Lawon Exum. "Rather, the plaintiff’s claimed damages are purely economic — risk of economic losses from future identify theft and misuse of personal information and efforts to protect against the same. The negligence claim is accordingly barred by the economic loss doctrine."
Throughout the papers, Sony makes other technical objections, faulting a claim under the California Customer Records Act by way of example because the plaintiff is not a "customer" and faulting another claim under the Unfair Competition Law as not detailing why stolen personal information qualifies as "money or property."
According to Sony's data breach view as espoused in court papers filed yesterday, these workers must plead a cognizable injury rather than allege the potential injuries in a conclusory matter. Sony is no stranger to data breach lawsuits, having gone through one over a PlayStation Network hack in April 2011. Some of the past data breach lawsuits against other corporations have settled, while others, like one against a hack against Target, were given the green light after a judge upheld claims plantiffs had been injured just by the release of their information.
A motion to consolidate the many lawsuits against Sony over the hack is still pending.