Sony Hack: Judge Allows Ex-Employees to Sue for Negligence

Sony can't escape a claim that it failed to maintain adequate security measures in advance of a breach that exposed personal information.
Courtesy of Sony Pictures Entertainment

On Monday, a California federal judge allowed former employees at Sony Pictures to sue over a large-scale hack that has been credited to North Korea in advance of the release of The Interview.

U.S. District Judge R. Gary Klausner has trimmed the lawsuit by rejecting some of the claims made by Michael Corona and others, but he finds that the plaintiffs have established standing and sufficiently pled injury to move the dispute to its next stage.

Sony faced a wrath of lawsuits over the exposure of personal employee information such as social security numbers, account routing information and medical records — and since the legal actions were filed in December and January, they've been consolidated into a single federal action. (There are some lawsuits in California state court that have been paused for the time being.) Sony demanded an end to the lawsuit, arguing the plaintiffs haven't alleged physical harm, damaged property or other specific injuries.

Klausner's opinion represents the first time a judge has weighed in on what happened after the hack attack.

He writes that the allegations of stolen "PII," or personally identifiable information, posted on file-sharing websites for identity thieves to download, and that information has been used to send threatening emails "alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury."

He rules that the plaintiffs therefore have standing.

The judge agrees with Sony that worries about future harm don't support a claim of negligence, but nods to plaintiffs' allegations that costs of credit monitoring, password protection, and more have already incurred to deal with heightened risk.

"California courts have not considered whether, in the context of data breach cases, costs relating to credit monitoring or other prophylactic measures sufficiently support a negligence claim," he writes. "Upon review of the allegations, the Court finds that the Complaint sufficiently alleges facts to support the reasonableness and necessity of Plaintiffs’ credit monitoring."

The judge dismisses the portion of the lawsuit dealing with Sony's alleged failure to notify its ex-employees of the hack in a timely fashion. Nevertheless, he does allow the negligence claim to go beyond the injuries sustained by ex-employees needing to purchase identity theft protection by accepting that the plaintiffs enjoyed a special relationship with Sony and the negligence claim should include the allegation Sony failed to maintain adequate security measures.

"Here, Plaintiffs allege that to receive compensation and employment benefits, they were required to provide their PII to Sony," he writes. "Based on these allegations, there is no doubt that this 'transaction' was intended to affect Plaintiffs. Plaintiffs also allege that based on prior data breaches at other Sony companies and audits of Sony’s own security systems, specifically with regard to human resource records, it was foreseeable that a data breach would occur and that Plaintiffs’ would suffer harm. Nonetheless, Sony made a business decision to not expend the money needed to shore up its system, and instead to accept the risk of a security breach. As a result, of Sony’s failure to maintain an adequate security system and timely notify Plaintiffs of the breach, Plaintiffs suffered the injury discussed."

Elsewhere in the decision, Sony is still facing potential liability for failing to maintain the confidentiality of former employees' medical information. A claim under California's health privacy law survives. So does a separate claim that Sony has violated California's Unfair Competition Law.

Sony is more successful in getting rid of claims for breach of implied contract, violation of the California Customer Records Act as well as violation of laws in Virginia and Colorado that require disclosure of a security breach in a timely fashion.

Here's the complete ruling.

comments powered by Disqus