Sony fails to shake data-breach suit
By Marisa Kendall, From The Recorder
SAN FRANCISCO — A federal judge ruled Monday that employees of Sony Pictures Entertainment Inc. whose personal information was exposed in last year’s data breach have standing to sue even if they can’t prove that information was used by criminals.
It’s often difficult for lawyers to successfully show collective harm in data-breach class actions in which plaintiffs can’t prove their personal information was used by criminals. But U.S. District Judge R. Gary Klausner of the Central District of California ruled plaintiffs don’t need to allege actual identity theft, saying he was satisfied with the injury they showed through money spent to monitor credit, protect passwords and freeze their credit in the aftermath of the breach.
“It is reasonable to infer that the data breach and resulting publication of plaintiffs’ [personal identifying information] has drastically increased their risk of identity theft, relative to both the time period before the breach, as well as to the risk born by the general public,” Klausner wrote, denying a key portion of Sony’s motion to dismiss. “It is commonly known that the consequences resulting from identity theft can be both serious and long-lasting.”
Plaintiffs claim a 2014 cyberattack, which the U.S. government blamed on North Korea, resulted in the release of financial, medical and other sensitive personal information of at least 15,000 current and former Sony employees. The hack was tied to Sony’s release of “The Interview,” a comedy depicting an assassination plot against North Korea’s leader, Kim Jong Un. Plaintiffs accuse Sony of negligence in its failure to prevent the breach, and claim executives were aware of the network’s security problems but made a business decision not to address them.
Sony’s lawyers with Wilmer Cutler Pickering Hale and Dorr argued plaintiffs have no standing to sue because they can’t allege they suffered identity theft, fraudulent charges or misappropriation of medical information.
“The complaint thus falls short of the basic requirement that a plaintiff suffer some concrete and particularized injury before he files suit,” the lawyers wrote.
Klausner disagreed, citing the Supreme Court’s 2013 ruling in Clapper v. Amnesty International, which held that plaintiffs can sue for threatened injury if the injury is “certainly impending.” He also mentioned a September ruling, in which U.S. District Judge Lucy Koh of the Northern District of California found plaintiffs had standing to sue Adobe Systems Inc. over a 2013 data breach even though they couldn’t show their information was misused.
Plaintiffs in the Sony case are represented by Keller Rohrback; Girard Gibbs; and Lieff Cabraser Heimann & Bernstein.
“We are pleased that the court has properly recognized the harm to Sony’s employees resulting from their private information escaping their employer’s protection,” Lieff Cabraser partner Michael Sobol wrote in an emailed statement.
Sony’s lawyers and representatives from the company did not immediately respond to requests for comment.
Plaintiffs also brought a negligence claim against Sony for failing to timely notify victims of the breach that their information had been compromised. Some plaintiffs weren’t told for three weeks, according to the complaint. Klausner dismissed that portion of plaintiffs’ claim, ruling it’s “implausible” that the delay in notification caused the victims harm.
Klausner also dismissed plaintiffs’ breach of implied contract and California Customer Records Act claims, as well as claims brought under Virginia and Colorado statutes that require companies to provide timely notice to data-breach victims. The implied-contract claim fails because plaintiffs did not show Sony intended to impede its employment agreement with plaintiffs, Klausner wrote. And he ruled employees cannot be classified as “customers” under the Customer Records Act.
The judge upheld plaintiffs’ claim under the California Confidentiality of Medical Information Act, potentially allowing plaintiffs lawyers to seek $1,000 per violation.
For more on this story go to: http://www.therecorder.com/id=1202729647880/Sony-Fails-to-Shake-DataBreach-Suit#ixzz3dKpzwlIy