Federal Court Advances Sony Hack Lawsuit

     LOS ANGELES (CN) – Sony employees’ negligence lawsuit can move forward because of the studio’s failure to adequately protect its computer network against a cyberattack, a federal judge has ruled.
     U.S. District Judge Gary Klausner on Monday granted in part Sony’s motion to dismiss claims that North Korean hackers’ data breach compromised past and present employees’ sensitive personal information, leaving them vulnerable to identity theft and fraud.
     The judge, however, denied the motion as to negligence based on breach of duty to maintain adequate security measures.
     “As a result of Sony’s failure to maintain an adequate security system and timely notify plaintiffs of the breach, plaintiffs suffered the injury,” Judge Klausner wrote.
     After initially making their claims in state court, Michael Corona and eight others filed a March federal class action complaint against Sony Pictures Entertainment after a massive data breach in November 2014 of Sony’s computers.
     The group Guardians of Peace stole almost 100 terabytes of data from Sony, compromising the personal information of 15,000 current and former employees. U.S. officials suspect that North Korea sponsored the attack in response to the Seth Rogen and James Franco comedy “The Interview,” about a plot to assassinate North Korean leader Kim Jong-un.
     Sony’s own remediation efforts meant that employees had to buy their own ID protection services and insurance after the attack, according to the court order.
     The plaintiffs’ personal information has been “traded on black market websites and used by identity thieves” after records were posted on file sharing sites and exchanged on torrent networks, the order states.
     “Social security numbers were copied more than 1.1 million times throughout the 601 files stolen from Sony,” says the order, noting that sensitive information included salary and bank account information, and visa and passport numbers.
     Though Judge Klausner ruled that the plaintiffs alleged a “cognizable injury by way of costs relating to credit monitoring, identity theft protection, and penalties” the court found it “implausible” that Sony’s alleged delay in notifying employees about the breach had “caused any of the economic injury.”
     But Klausner said Sony could have foreseen the cyberattack because of previous data breaches at other Sony companies and audits of its security systems.
     “Sony made a business decision to not expend the money needed to shore up its system, and instead to accept the risk of a security breach,” the judge wrote in the 9-page order.
     Sony won dismissal of the complaint’s claims of breach of implied contract, and violation of the California Customer Records Act, as well as two claims relating to data breach laws in Virginia and Colorado, where two of the plaintiffs reside.
     The court ruled as “premature” Sony’s move to dismiss the plaintiffs’ claims for injunctive relief and a declaratory judgment. It also advanced claims for violation of the California Confidentiality of Medical Information Act, and unfair competition.
     Sony could not immediately be reached for comment on Wednesday.

%d bloggers like this: