In a decision emphasizing the need for employers to focus on data security, on June 15, 2015, the U.S. District Court for the Central District of California refused to dismiss a lawsuit filed by nine former employees of Sony Pictures Entertainment who allege the company’s negligence caused a massive data breach.  Corona v. Sony Pictures Entm’t, Inc., Case No. 2:14-cv-09600 (C.D. Ca. June 15, 2015).

In November 2014, Sony was the victim of a cyber-attack, which has widely been reported as perpetrated by North Korean hackers in relation for “The Interview,” a Sony comedy parodying Kim Jong Un.  According to the complaint in this case, the hackers stole nearly 100 terabytes of data, including sensitive personal information, such as financial, medical, and other personally identifiable information (“PII”), of at least 15,000 current and former Sony employees.  The hackers then posted this information on the internet and used it to threaten individual victims and their families.  The nine named plaintiffs purchased identity protection services and insurance, as well as took other measures, to protect their compromised PII.

The plaintiffs filed a class action lawsuit alleging Sony failed to implement and maintain adequate security measures to protect its employees’ PII, and then improperly waited at least three weeks to notify plaintiffs that their PII had been compromised.  The plaintiffs asserted claims of negligence, breach of implied contract, and statutory violations of California, Virginia, and Colorado law.

Sony moved to dismiss the complaint.  First, Sony argued that plaintiffs lacked standing because they had not alleged a current injury or a threatened injury that is currently impending.  The court disagreed, concluding that the allegations of increased risk of future identity theft sufficiently established certainly impending injury.

Sony then challenged the viability of each claim.  While the court dismissed certain of the claims, the court allowed the plaintiffs to proceed with their claims of negligence and violations of California’s Confidentiality of Medical Information Act and Unfair Competition Law.  Key to the court’s decision on the negligence claim were its findings that (a) the costs plaintiffs incurred related to credit monitoring, identity theft protection, and penalties resulting from frozen credit constituted a cognizable injury, and (b) an exception to the economic loss doctrine applied because the parties had a “special relationship” whereby plaintiffs had to provide their PII to Sony in order to get paid and receive benefits.

Regarding the Confidentiality of Medical Information Act claim, the court found sufficient the allegations that Sony failed to maintain the confidentiality of the plaintiff’s medical information, which Sony has admitted included HIPAA-protected health information, and failed to institute reasonable safeguards to protect that information from unauthorized use.

While it remains to be seen whether the plaintiffs will prevail on any of their theories of recovery against Sony, this matter should be a lesson to companies that have not implemented appropriate data security measures more than just the loss of proprietary information.  Employers have a duty to protect the personal sensitive information that they obtain from their employees, and the failure to take preventative measures may result in legal claims, reduction in employee morale, and loss of reputation.

Employers should begin by auditing their information technology infrastructure and network for security vulnerabilities.  Any such audit should be done under the supervision of counsel to maintain the privilege and confidentiality of the audit.  Based on that audit, employers should take steps to mitigate the vulnerabilities found to a reasonable and appropriate level given the threats to the organization.  The Sony breach, like nearly all recent breaches, had an element of social engineering. To protect against these types of attacks employers should also train their workforces on information security best practices.  Finally, employers should be prepared to respond to breaches when they occur.  Employers should formulate and implement a breach response plan to minimize the time from the discovery of the compromise to the reporting of the incident to affected persons.

If a data breach does occur, the company should immediately execute the data breach response plan and quickly investigate the nature and scope of the data breach.  A forensic review should be conducted using an IT specialist that can trace the origins of the breach.  Employees and anyone affected should be notified so that they may take appropriate steps to prevent or limit identity theft and other damages.  Employers also should consider proactively notifying the police to work with the local cyber-crimes unit, as well as filing a civil suit against the perpetrator(s) to obtain injunctive relief and reduce further damage.  Appropriate legal counsel can assist in pursuing these options.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.