- Sony Data Breach Class Action Survives Motion to Dismiss Suit
- August 7, 2015
- Law Firm: Pessin Katz Law P.A. - Towson Office
- As previously reported upon by PK Law, Michael Corona and eight other individuals (“Plaintiffs”) filed a class action on March 2, 2015 against Sony Pictures Entertainment, Inc. (“Sony”). (U.S. District Court, Central District of California Case No.14-CV-09600 RGK (Ex)) The action arises out of a security breach wherein Sony’s information technology infrastructure and network were hacked, and sensitive personal data of former and current Sony employees were stolen. Plaintiffs, all former employees of Sony, allege the following claims: (1) Negligence; (2) Breach of Implied Contract; (3) Violation of the California Customer Records Act; (4) Violation of the California Confidentiality of Medical Information Act; (5) Violation of the Unfair Competition Law; (6) Declaratory Judgment; (7) Violation of Virginia Code § 18.2-186.6; and (8) Violation of Colorado Revised Statutes § 6-1-716.
Sony filed a Motion to Dismiss the case. On June 5, 2015 the Court (R. Gary Klausner, U.S. District Judge) granted the Motion, but only in part, thereby allowing the case to proceed to trial.
Widely reported press accounts attributed the Sony “hack” to have been performed by North Korea. Ostensibly, the attack was a response to the release of the movie “The Interview” which that country and its leadership found offensive.
As a factual matter Judge Klausner’s opinion states:
“In November 2014, as a result of inadequate security measures, Sony was the victim of a cyberattack, wherein Sony’s information technology infrastructure and network were hacked. The perpetrators stole nearly 100 terabytes of data from Sony’s system. Among the data was sensitive personal information of at least 15,000 current and former Sony employees. The information, which included financial, medical, and other personally identifiable information (“PII”), was used to threaten the individual victims and their families, and was posted on the internet. Because Sony was focused on its own remediation efforts and not on protecting its former and current employees, Plaintiffs have had to purchase identity protection services and insurance, and take other measures to protect their compromised PII. Notwithstanding these measure, Plaintiffs face ongoing future vulnerability to identity theft, medical theft, tax fraud, and financial theft because their PII has been, and may still be, publicly available to anyone with an internet connection. In fact, Plaintiffs’ PII has already been traded on black market websites and used by identity thieves.”
Sony argued that the Plaintiffs had sustained no current injury or a threatened injury that is certainly impending. The Court rejected those arguments. Relying on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), in which a laptop containing personal identifying information of 97,000 employees was stolen, “allegations of increased risk of future identity theft were a credible threat of real and immediate harm.” Judge Klausner went on to state: “The[se factual allegations] alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.”
The court rejected the negligence claim of the Plaintiffs arising out of a failure to timely notify them of the security breach but allowed the negligence claim to proceed on the basis of Sony’s “alleged breach of duty to maintain adequate security measures.”
Plaintiffs argued that by hiring them and paying them there arose an implied contract to protect their data. The Court disagreed with this argument and granted Sony’s Motion to Dismiss as to that cause of action.
The Court also granted Sony’s Motion to Dismiss as to an alleged violation of the California Records Act. However, the Court found that under the California Confidentiality of Medical Information Act which requires that “[e]ach employer who receives medical information shall establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information” the Plaintiffs could proceed as no formal “disclosure” was required on Sony’s part.
Sony’s Motion to Dismiss was denied under the Unfair Competition allegations of the complaint but was granted as to alleged violations of the Virginia Code. As to the latter the lead Plaintiff, Corona, as a Virginia resident, “discovered an unencrypted spreadsheet containing his [personal information] online, before he received any notification from Sony, and before he had an opportunity to obtain identity protection services.” The Court relied on its reasoning as to the rejection of Plaintiff’s negligence claim, in part, on similar grounds, mentioned above.
The Motion to Dismiss was granted as to violation of Colorado’s Consumer Protection Act, there being no private right to sue under that statute. Only the State’s Attorney General may maintain such an action.
The Court failed to bar the Plaintiffs from seeking injunctive and declaratory relief.
There is evidently a split of opinion among the United States Courts of Appeal regarding the use of the Krottner case mentioned above. Eventually, should the case be tried and the Plaintiffs succeed in reliance on that case, the matter may be headed to the Supreme Court.