Sony Hit With Fourth and Fifth Class-Action Lawsuits Over Stolen Data (Exclusive)

Two former employees claim Sony has a decades-long history of poor information security
AP Images

Four days, four class-action lawsuits. Another complaint has been filed against Sony — after lawsuits on Monday, Tuesday and Wednesday — claiming the studio didn’t take adequate precautions to prepare itself for the cyberattack that led to the disclosure of thousands of employees’ private information.

The plaintiffs in the new case are Michael Levine and Lionel Felix, and both say they worked for Sony — Levine as a technical director for Sony Pictures Imageworks from 2003 to 2012, and Felix as a director of technology for Sony Pictures Digital Entertainment from 2001 to 2004. Like the other plaintiffs, they say they entrusted the studio with information including social security numbers, bank account and heath care information, and salary history.

Their complaint, filed in U.S. District Court in Los Angeles, contends that the release of that information will cause the plaintiffs and their families "to remain vigilant for the rest of their lives to combat potential identity theft." It states that the information is furthermore so revealing that for anyone to view it "would amount to a grave invasion of privacy."

They've filed a slightly different list of claims against the studio than other plaintiffs — negligence, invasion of privacy, bailment (the transfer of property but not ownership from one party to another) and violations of California laws that require the protection of private and medical information and timely notification of data breaches — but their story of how Sony allegedly mishandled the security of its information is essentially the same.

Read more Sony Hack: A Timeline of Events that Led to the Attack

Their complaint cites a CIO magazine interview with Sony svp of information security Jason Spaltro in 2007 in which Spaltro, then Sony’s executive director of information security, argued against investing fully in information security. "For decades, Defendant failed, and continues to fail, to take the reasonably necessary actions to provide a sufficient level of IT security to reasonably secure its employees' PII," the complaint reads.

The plaintiffs refer to the April 2011 hack in which 77 million users' data was stolen from Sony's PlayStation Network, which forced Sony to temporarily shut down the network, citing the hack as further indication that Sony’s information security is deficient. Then the lawsuit brings up details revealed in emails leaked in the recent hack itself — specifically, insufficiently encrypted files, a Sept. 25 audit that found vulnerabilities in Sony IT, passwords stored in a file labeled “PASSWORD" and a breach of some of Sony's Brazilian files in February that the company never disclosed.

The lawsuit, filed by attorneys Michael Sobol and RoseMarie Maliekel of Lieff Cabraser Heimann & Bernstein, addresses the recent reports that the North Korean government was behind the hack. "Defendant engages in the entertainment industry as part of a vast multinational corporate conglomerate [and] knows or should know that it may be the target of the world’s most sophisticated data hackers or cybercriminals," the complaint reads. Sony's duty to protect its employees' information is the same "regardless of the identity of the hackers or cybercriminals, even if, as some recent press reports indicate, they act at the direction of a foreign government."

The aftershocks of the hack, legal and otherwise, continue to reverberate throughout the industry. President Barack Obama stated in a press conference Friday that Sony “made a mistake” to pull The Interview, the North Korea-set Seth Rogen comedy that triggered the hack, from release. The studio killed the film’s roll-out on Wednesday after threats of a new action similar to the Sept. 11, 2001 attacks.

Update: And on Friday comes the fifth class action against Sony Pictures. This one is filed on behalf of Marcela Bailey, who is identified as working for the studio for 22 years until February 2013. She is looking to certify a class comprised of all current and former employees, contractors and freelancers of Sony — estimated to be at least 47,000 people — and her allegations include a violation of The Fair Credit and Reporting Act as well as negligent hiring and supervision of security personnel. Capstone Law is the firm representing her.

Update #2: Wait, another! Here's the sixth class action lawsuit from Steven Shapiro, employed at Sony from 2003 to 2010. Read the complaint. Again, it's in California. Expect some consolidation.

Email: Austin.Siegemund-Broka@THR.com
Twitter: @Asiegemundbroka

comments powered by Disqus