About Us  |  About Cheetah®  |  Contact Us

Hacked former Sony employees’ negligence, California statutory claims advance

By Joy P. Waltemath, J.D.

Sony was unable to dismiss negligence and two California statutory claims brought by former employees who alleged sufficient injuries they had already incurred as a result of a cyberattack against Sony. The former employees alleged that their medical, financial, and other personally identifiable information had been hacked and posted on file-sharing sites on the Internet for identity thieves to steal, as a result of which they received email threats and had been required to purchase identity theft protection and monitoring. However, the federal district court in California dismissed their breach of implied contract, California Customer Records Act, and Colorado and Virginia data breach notification laws claims (Corona v. Sony Pictures Entertainment, Inc., June 15, 2015, Klausner, R.).

Sony security breach. According to the class action complaint of eight former employees, Sony suffered a cyberattack due to its inadequate security measures; nearly 100 terabytes of data were stolen from Sony’s system, including financial, medical, and other personally identifiable information (PII) of the former employees. Sony moved to dismiss their complaint arguing both that the former employees lacked Article III standing because they failed to allege injury-in-fact and that the complaint’s allegations were insufficient to state a claim under Rule 12(b)(6).

Article III standing. Sony argued that the employees failed to allege a current injury or a threatened injury is that certainly impending. Unconvinced, the court looked to Ninth Circuit precedent that where the information had already been stolen, allegations of increased risk of future identity theft were a credible threat of real and immediate harm. The U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty Int’l USA found no standing based on the facts before it, but the injury-in-fact standard remained unchanged. Because the employees alleged that their PII was stolen and posted on file-sharing websites for identity thieves to download and was used to send emails threatening physical harm to employees and their families, their allegations were enough to establish a credible threat of real and immediate harm or impending injury to satisfy standing.

Negligence claims. Sony challenged the negligence claim, asserting that the employees did not allege any cognizable injury to support a claim for negligence, plus the economic loss doctrine barred their claim. The employees alleged Sony breached two separate duties: the duty to implement and maintain adequate security measure to safeguard its employees’ PII; and the duty to timely notify them that their personal information had been compromised. Specifically, they alleged the following injuries: (1) loss of ability to control how their PII is used; (2) diminution in the value and/or use of their PII; (3) the compromise, publication, and/or theft of their PII; (4) out-of-pocket costs associated with preventing, detecting, and recovering from identity theft or unauthorized financial and medical records use; (5) lost opportunity costs and loss of productivity from efforts to mitigate the actual and future consequences of the breach; (6) costs associated with the inability to use credit and assets frozen or flagged due to credit misuse; (7) unauthorized use of compromised PII; (8) tax fraud or other unauthorized charges to financial, health care, or medical accounts; (9) continued risk to the PII that remain in the possession of Sony, and (10) future costs in terms of time, effort, and money necessary to prevent and repair the impact of the data breach.

Not concrete enough. To the extent the employees alleged future harm or an increased risk in harm that had not yet occurred, their allegations failed to allege a cognizable injury and could not support their negligence claim. So too were their general allegations of lost time too speculative. And to the extent they relied on a theory that their personal information constituted property, that failed as well; the court found they had offered no authority that “an individual’s personal identifying information has any compensable value in the economy at large.”

Concrete enough. But the employees also had alleged costs already incurred, including those associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit. In the context of data breach cases, California had not yet considered whether costs relating to credit monitoring or other prophylactic measures sufficiently support a negligence claim, but the court pointed out the issue had been addressed in the context of exposure to toxic chemicals.

Cost of monitoring. Looking to toxic chemical monitoring as an analogy, the court said monitoring is compensable where evidence shows that the need for future monitoring is a reasonably certain consequence of the defendant’s breach of duty, and the monitoring is reasonable and necessary. Accordingly, it adapted the chemical monitoring five-factor test to the data breach context, considering: (1) the significance and extent of the compromise to the PII; (2) the sensitivity of the compromised information; (3) the relative increase in the risk of identity theft when compared to both the employees’ chances of identity theft had the data breach not occurred, and the chances of the public at large being subject to identity theft; (4) the seriousness of the consequences resulting from identity theft; and (5) the objective value of early detection.

Applying this standard, the court found the complaint sufficiently alleged facts to support the reasonableness and necessity of credit monitoring. It alleged that Sony’s data breach resulted in the public disclosure of its employees’ most sensitive, non-public PII, including Social Security numbers, employment files, salary and bank account information, health insurance and other medical information, names, home and email addresses, visa and passport numbers, and retirement plan data. Their records were posted on file-sharing websites and traded on networks; they alleged their Social security numbers were copied more than 1.1 million times throughout the 601 files stolen from Sony. Hackers posted some of the PII with a message to Sony employees threatening to release even more.

But not delay in notification. As for identity theft, it is reasonable to infer that the data breach and resulting publication of their personal information drastically increased their risk relative to both the time period before the breach as well as to the risk born by the general public. Allegations that some employees had already received notification of attempted identity theft highlighted the value of early detection to the court, and it determined that costs relating to credit monitoring, identity theft protection, and penalties were cognizable injuries. But, Sony’s alleged delay in notification did not proximately cause any of the economic injury the complaint alleged, and so the court dismissed that portion of the claim based Sony’s alleged duty to timely notify.

Economic loss—special relationship. Although purely economic loss cannot be recovered on a negligence claim, there is an exception where a special relationship exists between the parties, which is determined by the extent to which the transaction was intended to affect the plaintiff; the foreseeability of harm to the plaintiff; the degree of certainty that the plaintiff suffered injury; the connection between the defendant’s conduct and the injury; the “moral blame” attached to the defendant’s conduct; and the policy of preventing future harm.

The former employees asserted that to receive compensation and employment benefits, they were required to provide their PII to Sony; there was no doubt that this “transaction” was intended to affect them, and prior data breaches at other Sony companies, plus its own security systems audits, made it foreseeable that a data breach would occur, but Sony allegedly decided not to “shore up” its systems. These allegations established a special relationship that provided an exception to the economic loss doctrine and the court refused to dismiss the negligence claim based on the alleged breach of duty to maintain adequate security measures.

No breach of implied contract. The breach of implied contract theory was based on allegations that Sony offered employment in exchange for compensation and benefits, but to receive them, the employees had to provide their names, addresses, Social Security number, medical information, and other personal information. They alleged that Sony deliberately failed to maintain an adequate security system, which breached the implied covenant of good faith, but the court disagreed that there were any facts indicating that Sony’s acts were intended to frustrate the agreed common purpose of the agreement—employment in exchange for compensation and benefits. Additionally, the class included members who were no longer employed at the time of the security breach. As a result, the court dismissed, without leave to amend, the implied contract claim.

No California Customer Records Act claim. Nor could the employees sue under the state Customer Relations Act because they were not “customers” within the meaning of the Act, which intended to protect California residents in their role as customers and limited remedies to businesses that violated the statute by failing to provide notice or mishandling information regarding customers. This statutory claim was dismissed with prejudice.

California Confidentiality of Medical Information Act, unfair competition. However, the court let stand allegations that Sony violated Sec. 56.20 of the Confidentiality of Medical Information Act by failing to maintain the confidentiality of their medical information and protect their medical information from unauthorized use. The statute speaks of liability for entities that “negligently released confidential information or records,” which did not require an affirmative act on the part of an employer under state precedent. Because Sony had admitted to the compromise of HIPAA protected health information, the court refused to dismiss this CMIA claim. And, because the employees’ negligence and CMIA claims survived dismissal, there were predicate claims that formed the basis for their Unfair Competition Law claim, which the court also refused to dismiss.

No claim under Colorado, Virginia data breach notification law. But because the employees failed to plausibly allege any injury resulting from Sony’s alleged untimely notification, the employees’ claims on the Colorado and Virginia data breach notification law claims also failed.