Since December 15, 2014, six putative class actions have been filed against Sony Pictures Entertainment, Inc., asserting claims by current and former employees whose personal information was allegedly stolen during the massive hacking attack inflicted in response to the studio’s movie “The Interview,” a comedy about a plot to kill North Korean Leader Kim Jong-un.
These cases—all filed in California federal court—allege that Sony breached its duty to protect its current and past employees’ confidential information and, specifically, allege an assortment of claims under the California Customer Records Act, the Confidentiality of Medical Information Act, the California Data Breach Act, the Fair & Accurate Credit Transactions Act, Unlawful and Unfair Business Practices under the California Business and Professions Code, and common law negligence, negligent hiring, bailment, and invasion of privacy. The complaints consistently claim that Sony has been the target of successful cybersecurity breaches in the past, but failed to take the necessary steps to protect its employees’ confidential information. In varying degrees of detail, the complaints address specific security breaches occurring at Sony throughout the years and Sony’s alleged failures to implement security protocols that it allegedly knew were necessary to protect sensitive information.
The hacking attack at issue was carried out on November 24, 2014, by a group named The Guardians of Peace, which the FBI contends is connected to North Korea. The group then allegedly publicized more than 47,000 current and former Sony employee names, addresses, social security numbers, birthdates, passports, visa information, salaries, severance packages, evaluations, discipline, criminal background checks, and other sensitive information on the Internet. The plaintiffs claim that a global security firm that analyzed the data loss found that many of the social security numbers were accompanied with other personal information, allowing criminals to easily access core data needed to commit identity theft and fraud.
The plaintiffs allege that the full scope of the breach is still unknown because the hackers claim they have not yet released all of the information seized. Further, the plaintiffs allege that Sony’s offer of one year of identity-theft monitoring is inadequate to address the scope of the breach. Despite best efforts to “scrub” the Internet, the plaintiffs claim that they will forever have to monitor for identity theft and will suffer from their sensitive information being available on the Internet for the rest of their lives. The complaints seek to recover at least $5 million in damages and seek injunctive relief.
It is yet to be seen what strategy Sony will take in defending these cases, as their responses to the complaints are not yet due to the court. However, motions to dismiss on some claims are likely, considering that damages may be speculative at this juncture. Indeed, the complaints state that the scope of the breach is still unknown, and the plaintiffs are not alleging damages from actual identity theft or fraud to date. Nevertheless, defense fees and possible settlements will be costly if the proposed classes are certified. Thus, these cases highlight the need for companies to ensure that confidential employee information is secure and to perform regular security audits to stay ahead of changing technology in this digital age of cybercrimes.
The case names are: (1) Rodriguez v. Sony Pictures Entm’t, Inc., No. 2:15-CV-14-PA-AJW (C.D.Cal. Jan. 2, 2015); (2) Bailey v. Sony Pictures Entm’t, Inc., No. 2:14-CV-9755-SJO-JC (C.D.Cal. Dec. 19, 2014); (3) Shapiro v. Sony Pictures Entm’t, Inc., No. 2:14-CV-9762-JAK-VBK (C.D.Cal. Dec. 19, 2014); (4) Levine & Lionel v. Sony Pictures Entm’t, Inc., No. 2:14-CV-9687-RGK-SH (C.D.Cal. Dec. 18, 2014); (5) Forster & Archibeque v. Sony Pictures Entm’t, Inc., No. 2:14-CV-9646-RGK-SH (C.D.Cal. Dec. 17, 2014); (6) Corona & Mathis v. Sony Pictures Entm’t, Inc., No. 2:14-CV-9600-RGK-SH (C.D.Cal. Dec. 15, 2014).
