Gamers Dealt a Blow in Data Breach Class Action


     (CN) - PlayStation users have limited berth to sue Sony over the 2011 data breach that exposed the personal information of nearly 70 million customers, a federal judge ruled.
     As part of the registration process for establishing accounts on PlayStation Network (PSN), Qriocity and Sony Online Entertainment, customers were required to provide their personal information, including their names, billing addresses, birth dates, and credit and debit card information.
     The users claim that hackers were able to access Sony's network on April 16 or 17 in 2011 and steal the personal information of millions of Sony's customers. Although Sony knew about the breach as early as April 17, it opted to take the systems down for a month, rather than notify the affected customers immediately, according to the putative class action.
     During this time, users were allegedly unable to access services that they had pre-purchased.
     "Sony did not inform the public of the breach until April 26, 2011, when Sony made a public statement that user Personal Information had been compromised, and encouraged those affected to 'remain vigilant, to review [their] account statements[,] and to monitor [their] credit reports,'" according to a summary of the claims Tuesday from U.S. District Judge Anthony Battaglia.
     Acknowledging that the system failure had a financial impact on its customers, Sony announced in May 2011 that it would compensate users by providing free identity-theft protection services, as well as free downloads and online services.
     The class action at hand - which was consolidated from several civil actions filed across the country - was originally filed in January 2012 and alleged that Sony knew its system was vulnerable to an attack but did nothing to beef up its safeguards and failed to timely disclose the breach.
     After a large chunk of the users' claims, including negligence, unjust enrichment, bailment and violations of California consumer protection statutes, unraveled in October 2012, the class filed an amended complaint in December 2012 naming plaintiffs from nine states and alleging 51 independent causes of action.
     Judge Battaglia dismissed most of the claims in Tuesday's 97-page ruling, which finds that the class did not have standing to bring its negligence, negligent misrepresentation and warranty claims under individual state laws.
     The users also did not allege a plausible claim for relief on their negligence claims, as no special relationship existed between the parties and the users' injuries were "not a foreseeable result of Sony's alleged negligence," according to the ruling.
     Battaglia chided the users as well for not alleging that any misrepresentations by Sony led them to suffer a pecuniary loss because their "personal information does not have independent monetary value, registration and use of Sony Online Services was provided to consumers free of charge, and none of the plaintiffs allege that they paid for premium PSN services."
     The PSN user agreement, which states that all services and content are provided "as is" and "as available," meanwhile expressly disclaims implied warranty claims, the court found.
     Users can continue, however, with their claims under California's Unfair Competition Law and False Advertising Law based on omissions regarding reasonable network security and industry-standard encryption.
     "Because plaintiffs have alleged that Sony omitted material information regarding the security of Sony Online Services, and that this information should have been disclosed to consumers at the time consumers purchased their Consoles, the Court finds plaintiffs have sufficiently alleged a loss of money or property 'as a result' of Sony's alleged unfair business practices," Battaglia wrote.
     Although language in Sony's PSN Privacy Policy disclaimed any right to so-called "perfect security," the users have sufficiently pleaded that Sony misrepresented that it would take "reasonable security" measures, including using industry-standard encryption to prevent unauthorized access to sensitive financial information, according to the ruling.
     "Plaintiffs have raised an issue of fact as to whether Sony's representations, when viewed as a whole, were deceptive," Battaglia wrote.
     Battaglia also found that Sony owed its customers a legal duty to provide reasonable network security, which was separate from the PSN User Agreement, so they can pursue contract and tort remedies to the extent that they are not barred by the economic-loss doctrine.
     The Florida Deceptive and Unfair Trade Act, Michigan Consumer Protection Act, Missouri Merchandising Practices Act, New Hampshire Consumer Protection Act and the California Data Breach Act are also available to the plaintiffs, the court found.