The plot of the Sony hack drama has taken a new turn.
Two former employees of Sony Pictures Entertainment filed a class-action lawsuit against the studio giant on Monday for failing to properly secure sensitive employee data.
The recent widespread breach of Sony has resulted in the theft and release of documents exposing Social Security numbers and birth dates of employees as well as information about medical conditions. The workers say the company had not only a duty to protect their data but a strict legal responsibility to secure medical information under California law.
Calling the breach an “epic nightmare, much better suited to a cinematic thriller than real life,” the plaintiffs also say that Sony failed to adequately notify former workers who may have been affected by the breach.
“Put simply, Sony knew about the risks it took with its past and current employees’ data,” the plaintiffs wrote in their suit. “Sony gambled, and its employees—past and current—lost.”
Sony has been hacked before, which could help bolster the plaintiff’s claims about lax security. In 2011, members of Anonymous and LulzSec tore through the company’s networks—first going after its PlayStation Network, where they stole data pertaining to more than 75 million customers. A second breach at Sony Online Entertainment compromised an additional 25 million customers. Sony Pictures and Sony BMG were also struck. Those breaches affected customers, not employees, but they work in the plaintiff’s favor to show that Sony might have had ongoing security problems that it failed to fix. Internal Sony documents leaked by the hackers in the current breach indicate that Sony’s security was still lax despite previous hacks. The leaks include data sheets listing servers holding unencrypted Social Security numbers and passwords for employees and others, as well as emails discussing a breach the company had in February that may or may not have been part of the wider breach exposed last month.
It’s not unusual for companies that suffer breaches, such as Target, to find themselves besieged by lawsuits. Generally, however, these lawsuits have involved stolen credit cards or other personal information that could result in fraudulent charges or identity theft. Courts have thrown out many of these suits for lack of standing; with banks assuming liability for fraudulent charges made to stolen bank card accounts, victims cannot prove damage, and unless there is actual proof of identity theft, the mere potential for harm has been insufficient in most cases to successfully sue. There’s an exception to this: a class-action suit around a breach at Adobe could prove useful for the Sony plaintiffs. In the Adobe case, a California court declined to throw out the suit, saying the plaintiffs had standing because they suffered an impending threat of harm after their data was posted online.
Sony employees and former employees could argue they also suffer an impending threat, since sensitive data about employees has already been publicly released by the hackers.
“The [Adobe] case signals that the courts are ready to start … recognizing new types of harm that security breaches and inadequate security measures cause or trigger,” says Princeton law professor Andrea Matwyshyn. “We’re seeing courts more willing to entertain these kinds of lawsuits because the problems are real—particularly if you have evidence of a history of known security flaws that went unfixed a court would be more likely to consider a suit by employees or other harmed parties.”
“Sony gambled, and its employees—past and current—lost.”
But the Sony case may also have staying power that other cases haven’t had because employers have a duty of care for their employees that go beyond the duty to customers, she says.
“This is untested territory,” says Matwyshyn, a professor with Princeton’s Center for Information Technology Policy, “but employers are held to a higher standard of care with respect to the safety of their employees. Employers, for example, are responsible for providing a safe work environment of their employees and there are OSHA rules around the physical safety of employees. So it is arguably a natural extension that heightened levels of care would also extend to data management questions because of that trusted relationship.”
She’s not aware of other cases involving public companies that are similar to the Sony case, saying this is a new area of litigation that is bound to grow. Although the financial records of employees are sensitive, the medical information involved in the breach raises new questions that could affect other companies involved in breaches, she says. Although Sony is not a health-care entity as it’s defined under the federal statute HIPPA, which governs the security of medical records, California may have stricter laws about medical records that would apply to Sony. As an international company, Sony could also face problems in Europe where data-protection laws can be fierce.
Matwyshyn notes, also, that employees might not be Sony’s only worry. Other suits could follow from Sony business partners, shareholders, celebrities and others if they claim the release of emails exposing sensitive information about business deals and private matters caused them harm.
“We’re seeing the first traction of these types of embedded business relationships giving rise to data-breach litigation,” she says. “This will continue and that is the sort of situation that might have life [in a court].”
No comments:
Post a Comment