A federal judge in California has denied an attempt by Sony Pictures Entertainment Inc. to dismiss a class-action lawsuit brought by nine employees who claim the company’s lack of adequate cybersecurity caused a massive breach that exposed financial, health and other personally identifiable information of at least 15,000 current and former Sony employees.
Sony had argued the employees lacked Article III standing because the employees failed to allege injury.
U.S. District Court Judge R. Gary Klausner disagreed. He pointed out that the employees allege their PII was posted to file-sharing websites for identity thieves to download, and the information stolen was used to send emails threatening physical harm to them and their families.
“These allegations alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury,” ruled Klausner.
Employees Michael Corona and Christina Mathis in March filed the federal suit in Los Angeles. It alleges Sony Pictures failed to protect its computer networks and failed to “timely protect confidential information” of current and former employees. The suit describes an “epic nightmare, much better suited to a cinematic thriller than to real life.”
Corona and Mathis each claim to have spent hundreds of dollars on identity theft protection and many hours on efforts to safeguard their identities. The former employees said the cyber attack stole tens of thousands of social security numbers, which were copied more than one million times. In a letter to employees following the November 2014 breach—supposedly the work of North Korea—Sony said the types of information that may have been stolen included names and addresses, social security numbers, driver’s license numbers, bank account and credit card information, and HIPPA-protected health information.
The employees allege negligence and here, according to the ruling, Sony has a point in its motion. Klausner dismissed the portion of the claim based on Sony’s alleged duty to timely notify plaintiffs. Though he acknowledged the employees had some concrete expenses related to credit-monitoring and penalties but, “The court finds implausible any argument that Sony’s alleged delay in notification proximately caused any of the economic injury [to plaintiffs]. These injuries fail to constitute incremental harm suffered by plaintiffs as a result of any delay,” Klausner said.
The movie The Interview seems to have provided the inspiration for the Sony Pictures hacking by a group calling itself the “Guardians of Peace.” The movie, a comedy, included a plot to assassinate North Korean leader Kim Jong Un. Millions of files were stolen. Undetectable wiper malware rendered computers inoperable. The group subsequently threatened theaters scheduled to show the movie, as well as movie-goers.