Will Sony Settle Cyber-Attack Lawsuit?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bankinfosecurity.com/blogs/will-sony-settle-cyber-attack-lawsuit-p-1880

Did Sony underspend on information security, thus contributing to the
success of the devastating hack attack against it, which came to light in
November 2014? (See Sony Pictures Cyber-Attack Timeline.) And can a
business be held legally accountable by employees for their employer's
information security shortcomings?

Those questions are central to a lawsuit filed by Michael Corona and eight
other former Sony employees in the wake of what plaintiffs rightly dub a
data breach "epic nightmare, much better suited to a cinematic thriller
than to real life." Their suit accuses Sony of having failed to put an
effective information security program in place, despite having previously
suffered repeated, serious attacks.

"Sony failed to secure its computer systems, servers and databases, despite
weaknesses that it has known about for years," the lawsuit alleges, citing
in part a September 2014 audit by PricewatershouseCoopers, which found that
Sony's information security and monitoring practices fell below "prudent
industry standards."

The lawsuit further alleges that nearly 100 terabytes of data was stolen,
including 47,000 Social Security numbers and personally identifiable
information for at least 15,000 current and former employees, some of whom
had not worked for the studio since 1955. As a result, breach victims "face
ongoing future vulnerability to identity theft, medical theft, tax fraud,
and financial theft," the lawsuit plaintiffs allege. "In fact, plaintiffs'
PII has already been traded on black market websites and used by identity
thieves."

Lawsuit Ruling

Sony asked a court to dismiss the suit, and U.S. District Judge R. Gary
Klausner this week did dismiss some parts, including allegations of breach
of contract and that Sony failed to notify breach victims in a timely
manner.

But in a setback for Sony, the judge ruled that other parts of the lawsuit
can proceed, although he has yet to rule on the merits of these claims,
including plaintiffs' allegation that Sony "made a business decision to
accept the risk of losses associated with being hacked." The federal judge
also agreed with the former employees' allegation that "to receive
compensation and employment benefits, they were required to provide their
PII to Sony." While many data breach lawsuits get dismissed on the grounds
that the breach did not cause any economic harm to people whose information
was stolen, Klausner said that by requiring employees' PII, Sony created a
"special relationship that provides an exception to the economic loss
doctrine."

Michael Sobol, an attorney for the plaintiffs, told the BBC, "We are
pleased that the court has properly recognized the harm to Sony's
employees."

A spokeswoman for Sony Pictures Entertainment did not immediately respond
to a request for comment on the ruling.

In the wake of the 2014 attack, at least nine other lawsuits were filed
against Sony by individual former employees. Like the Corona suit, all of
these lawsuits seek class-action status, meaning they would include all
current and former employees who were affected by the cyber-attack.

Wiper Malware Attack

To recap: Sony suffered a devastating wiper malware attack in November
2014, ostensibly designed to punish the company for releasing "The
Interview," a satiric film starring James Franco and Seth Rogan that
featured the fictional death of North Korean leader Kim Jong-un (see Sony
Hacking Is a Hollywood Blockbuster).

But before the attackers unleashed their wiper malware and began erasing
Sony hard drives and bricking laptops, they penetrated Sony's network and
stolen tens of terabytes of data, including copies of unreleased movies and
the script for the upcoming James Bond film "Spectre," as well as numerous
private email exchanges, all of which the attackers began leaking (see Sony
Breach Response: Legal Threats).

Sony, in a December 2014 breach notification filed with California state
authorities, reported that the breach appeared to compromise current and
former employees' names, addresses, Social Security numbers, driver's
licenses and passport numbers, corporate credit card information, usernames
and passwords, and salaries. Sony also warned that individuals'
"HIPAA-protected health information" may have been exposed, including
medical diagnoses, dates of birth, health plan identification numbers, and
personal and health-related information.

As noted in Corona's lawsuit, large amounts of this information were leaked
to the Internet by attackers and likely remain in circulation.

Lawsuit Resolution: Unclear

What will happen next in the Sony class-action lawsuit saga, of course, is
not clear. But based on past breach-related lawsuits, it's likely that
unless the lawsuit gets dismissed, Sony will ultimately settle, rather than
risk a jury trial and ruling that might give breach victims more rights
(see Why So Many Data Breach Lawsuits Fail).

If Sony did make a business decision to underspend on security, it was a
costly move. In February, Sony said in an earnings report that it expected
to spend $35 million in cleanup costs through the end of its fiscal year in
March, largely related to restoring the company's "financial and IT
systems." But as the multiple lawsuits highlight, Sony faces continuing
legal costs, as well as the risk that it will eventually have to pay
damages or settlements.

But any such settlement likely would not happen soon. Indeed, Sony only
settled a lawsuit filed in the wake of its April 2011 breach - a year in
which the company fell victim to more than a dozen breaches - in June 2014.
That breach exposed personal information for 77 million users of the Sony
PlayStation Network and Qriocity services (see Sony Settles Data Breach
Lawsuit).

By that timeline, the lawsuits stemming from the 2014 Sony cyber-attack may
not be resolved until at least 2017.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!