A federal court last week refused to dismiss a class-action lawsuit by former employees of Sony, who sued Sony after a cyberattack in November 2014 resulted in the theft of their personal information. The personal information, including social security numbers, salary and bank account information, medical information, and even home and email addresses, was sold on the Internet and was used to threaten or blackmail the victims. Although certain claims by the former employees have now been dismissed, the court’s decision to allow their negligence claim to proceed underscores the importance of getting out in front of the inevitable security breach and taking proactive measures to prevent or contain it in the first place.
The former Sony employees alleged two separate bases for their negligence claim:
- That Sony breached a duty to implement and maintain adequate security measures to safeguard their personal information; and
- That Sony breached a duty to notify them of the security breach.
As to the notification aspect of the claim, the court rejected the employees’ argument that any delay in notification could have caused the harm alleged, finding instead that the harm would have been caused only by the security breach itself. However, the court refused to dismiss the negligence claim that was asserted on the basis of Sony’s alleged failure to implement and maintain adequate security measures. In doing so, the court noted that “Sony made a business decision to not expend the money needed to shore up its system, and instead to accept the risk of a security breach.”
The news is not all bad for defendants. The court rejected the theory of liability that relied on characterizing personal information as property of the employees (a theory of liability that plaintiffs have pursued in other cases). The court also rejected certain categories of claimed damages such as lost productivity, finding that allegations of future harm or increased risk of harm are too speculative to support a negligence claim.
Nonetheless, the court agreed with the former employees that they had alleged a cognizable injury in the form of costs already incurred for credit monitoring, costs incurred as a result of credit freezes, and related items. As these forms of harm are likely to be suffered in the event of any data security breach, the court’s ruling suggests that business entities that are sued for negligence are unlikely to prevail by arguing that no concrete injury has occurred. Instead, the salient issue is likely to be simply whether the defendant entity has done enough on the front end to implement adequate safeguards against the inevitable security breach.
As the court’s ruling demonstrates, even post-breach compliance with applicable notification statutes will not suffice to avoid liability where the entity whose security was breached failed to invest adequately in cybersecurity technology before the occurrence of a breach. Employers and other business entities would be wise to heed the court’s words of caution when making their “business decisions” and to allocate sufficient resources to strengthen their cybersecurity systems.