Lawyers take aim at Sony hack, may miss on payout

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.chicagotribune.com/business/yourmoney/sns-rt-tech-us-sony-lawsuitre74b5ia-20110512,0,5104807.story

SAN FRANCISCO (Reuters) - The recent hacker attack at Sony Corp and
other corporate data breaches are attracting more class-action lawyers
eager to score a payday, though huge monetary settlements may be
elusive.

At least 25 lawsuits have been filed against Sony in U.S. federal
courts over the theft of user data from the PlayStation game network,
according to Westlaw, a Thomson Reuters Corp legal database.

The lawsuits accuse Sony of negligence and breach of contract for
allowing the personal data of more than 100 million online video game
users to be compromised and stolen.

The challenge for plaintiffs' lawyers in security breach cases is not
proving liability on the part of companies, but establishing damages,
according to attorneys involved in this kind of litigation.

Sony has been criticized for not telling customers quickly enough last
month that their personal data was compromised. The consumer
electronics company said it is possible that whoever broke into Sony's
system made off with about 12.3 million credit card numbers.

"Had Sony properly secured its database through known and available
encryption methods, even if a hacker were able to enter the network,
he would be limited in his ability to inflict harm," one lawsuit says.

A Sony representative declined to comment. The company has apologized
to its customers.

Judges are just beginning to address whether the disclosure of
someone's personally identifiable information (PII) represents a loss
of value, or if plaintiffs must show they suffered additional costs
because of a hack.

Last month, a federal judge in Oakland, California, declined to
dismiss a proposed class-action lawsuit over a 2009 data breach at
RockYou, which develops applications for Facebook and other social
networking sites. The plaintiffs claim they provided PII in exchange
for products and services.

U.S. District Judge Phyllis Hamilton found that allegation sufficient
to allow the lawsuit to move forward, but ruled that the case will
fail if the plaintiffs cannot demonstrate tangible harm from the
breach.

Still, with even more personal information spreading online via cloud
computing, which allows users to store files on the Internet, some
plaintiffs' attorneys think the dollar awards will get bigger.

"The breaches will become more spectacular in the future," said Ira
Rothken, a San Francisco-based lawyer who handles privacy class
actions.

Rothken filed a motion on Monday to consolidate all the Sony lawsuits
in the District Court for the Northern District of California. The FBI
and attorney general in New York also are investigating the security
breach.

Data breach cases also have attracted larger class-action law firms
that are better known for bringing shareholder securities fraud
litigation.

Milberg LLP, a veteran securities class-action law firm, is among
those that have filed lawsuits over the Sony incident. The firm
started to devote resources to online class actions "within the last
year or so," partner Peter Seidman said.

San Diego-based Robbins Geller Rudman & Dowd LLP, the national
class-action firm started by one-time Milberg defector William Lerach,
also sued Sony. If the lawsuits were consolidated, a judge would
decide which lawyers will represent the plaintiffs -- and be in line
to recoup most of the fees.

A boutique law firm representing the RockYou plaintiffs, Edelson
McGuire in Chicago, is also representing plaintiffs in the Sony case.
The firm, which has long litigated data breach and Internet privacy
lawsuits, has grown from five to 20 attorneys over the last three
years, partner Jay Edelson said.

There have been 190 reported data breaches this year, up from 142 in
all of 2005, according to a tracking database maintained by the Open
Security Foundation. In 2010, the number of reported breaches stood at
493, down from 624 the year before.

But Internet privacy-related lawsuits do not yield the nine-figure
settlements that can be found in classic securities fraud cases,
Edelson said.

Attorneys' fees in breach cases have historically topped out at $7
million to $8 million, he said. One of the largest early data breach
cases, involving Internet advertising company Doubleclick, settled in
2002 and paid $1.8 million in legal fees.

Companies will often propose solutions like free credit monitoring as
part if a settlement. Indeed, Sony has already offered its customers
complimentary enrollment in an identity theft protection plan.

Karen Johnson-McKewan, a partner at Orrick, Herrington & Sutcliffe LLP
who defends technology companies, said privacy cases could be more
popular with plaintiff lawyers as the U.S. Supreme Court makes it more
difficult to pursue other kinds of class actions.

"This looks like potentially rich vein in their view," she said.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/