Sony data breach action survives motion of suit dismissal

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/sony-data-breach-action-survives-motion-of-suit-dismissal/article/431235/

Moves to dismiss a class action suit against Sony Pictures Entertainment
have failed and the case, initially filed on 2 March 2015, will continue
with nine plaintiffs suing the company in the wake of the security breach
in which Sony's information technology infrastructure and network were
hacked.

Sensitive personal data of at least 15,000 former and current Sony
employees were stolen. “The information included financial, medical and
other personally identifiable information (PII), was used to threaten the
individual victims and their families, and was posted on the internet,”
said Judge Klausner of the US District Court.

The plaintiffs, who are all former employees of Sony, cited these claims:

negligence, breach of implied contract, violation of the California
Customer Records Act, violation of the California Confidentiality of
Medical Information Act, violation of the Unfair Competition Law,
Declaratory Judgment, violation of Virginia Code § 18.2-186.6 and violation
of Colorado revised statutes § 6-1-716.

Judge Klausner stated, “The[se factual allegations] alone are sufficient to
establish a credible threat of real and immediate harm, or certainly
impending injury.”

On 5 June, the court granted a motion to dismiss the case but only in part,
allowing progress to trial.

Many press accounts attributed the Sony hack to North Korea, seemingly a
response to the release of the movie “The Interview”, thought to be
offensive by the country and its leaders. Others suggested that the motive
was purely financial, making a non-state actor more likely.

Sony argued that the plaintiffs endured no current or threatened injury
that is impending, but the court rejected those arguments.

The court rejected the negligence claim of the plaintiffs due to a failure
to notify them of the security breach in time. However, the claim was
admitted to continue on the basis of Sony's “alleged breach of duty to
maintain adequate security measures.”

The plaintiffs argued that by hiring and paying them there came about an
implied contract to protect their data. The court clashed with this
argument and granted Sony's motion to dismiss to that cause of action.

The court granted Sony's motion to dismiss to an alleged violation of the
California Records Act, but they found that under the California
Confidentiality of Medical Information Act that the plaintiffs could
proceed, as no formal disclosure was required of Sony. The Act requires
each employer that receives medical information to establish appropriate
procedures to ensure confidentiality and protection from unauthorised use
and disclosure of the information.

The motion to dismiss was denied under the Unfair Competition allegations
of the plaintiffs but granted as to alleged violations of the Virginia
Code. Lead plaintiff, Michael Corona, a Virginia resident, “discovered an
unencrypted spreadsheet containing his [personal information] online,
before he received any notification from Sony, and before he had an
opportunity to obtain identity protection services.”

Motion to dismiss was granted as to violation of Colorado's Consumer
Protection Act, due to there being no private right to sue under the
statute. The state's attorney general is the only one to keep such an
action.

The court failed to hinder the plaintiffs from pursuing injunctive and
declaratory relief.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!