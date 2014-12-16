(The opinions expressed here are those of the author, a
By Alison Frankel
NEW YORK - Sony's headaches from the wholesale theft of its
data worsened Tuesday when two former employees filed the first
class action accusing the movie studio of failing to protect
their confidential information.
The former employees, represented by Keller Rohrback, allege
that Sony was negligent for leaving its computer systems
insufficiently shielded from hackers. They also claim Sony
violated a California state law that requires employers to
protect employees' medical records, as well as California and
Virginia state laws requiring companies to put out broad
notifications when their data storage systems are breached.
The complaint was filed in federal court in Los Angeles on
behalf of thousands of current and former Sony employees and
family members who, according to plaintiffs' lawyer Gretchen
Cappio, "are outraged their private information is floating
around the Internet."
The two former Sony employees who brought the case said in
the complaint that they have already spent hundreds of dollars
on services to protect thieves from using hacked information to
steal their identities and ruin their credit ratings.
Their lawyers told me that hackers have released so much and
such specific personal information about Sony employees and
their families - including Social Security and passport numbers,
health records and addresses - that class members will have to
monitor their credit and identities for years to come.
Cappio said that the class has not put a dollar figure on
damages, but the cost of minimizing the harm to Sony employees
is "a very expensive proposition, both in time and money."
For the class action to move forward, though, Sony employees
will have to show not just that the hack poses a threat of
injury but that they've actually been harmed by the release of
their personal information or will suffer "certainly impending"
harm.
The U.S. Constitution's provision on standing to sue in
federal court requires that condition to be met, according to
the U.S. Supreme Court's 2013 ruling in Clapper v. Amnesty
International, a case that addressed a challenge to wiretapping
by the National Security Agency but has since become a powerful
weapon for defendants in data breach class actions.
In more than a half-dozen cases against retailers whose
customer information was hacked, federal judges have ruled that
consumers couldn't sue because, under Clapper, they hadn't
suffered an actual injury. (The retailer Target has made
precisely that argument in a motion to dismiss a gigantic
consumer data breach class action against it in Minneapolis
federal court; the motion was argued earlier this month but
hasn't been decided.)
WHAT CONSTITUTES INJURY?
From the time the Clapper decision came down from the
Supreme Court, only one federal judge has disagreed with a data
breach defendant's narrow reading of what constitutes an injury
to hacking victims, according to Westlaw.
That exception, though, is great case law for the Sony
employees.
In September, in In re Adobe Systems Privacy Litigation,
U.S. District Judge Lucy Koh of San Jose refused to dismiss a
data breach suit against Adobe, finding that the Supreme Court's
Clapper opinion didn't really remake the law on constitutional
standing.
Koh said that Adobe customers whose data was exposed by
hackers had suffered an actual injury from the risk their
information would be misused. She also said that they had
constitutional standing by virtue of the money they spent to
mitigate the potential harm - a holding that other judges have
found to be barred under Clapper.
According to Judge Koh, the appropriate precedent in the 9th
U.S. Court of Appeals, even after the Clapper ruling, is a 2010
decision in Krottner v. Starbucks, which involved the theft of a
laptop containing unencrypted information on nearly 100,000
Starbucks employees.
The 9th Circuit in Krottner said that because the theft
posed a "credible threat of real and immediate harm" to a class
of Starbucks employees, those employees met constitutional
requirements for standing. (The case was dismissed on other
grounds.)
Counsel for the class in the Starbucks case was Keller
Rohrback, the same firm that filed Tuesday's suit against Sony.
Keller lawyers Cappio and Lynn Sarko said that the threat to
Sony employees is so serious that Sony shouldn't even attempt to
contest their constitutional standing to sue.
"Are they really going to claim that the disclosure of
personnel files and medication information is not a harm?" Sarko
said. "I would be shocked if a judge were to find no injury. ...
And I think the public would be outraged."
Sony paid $15 million last summer to settle a class action
by PlayStation purchasers whose information was hacked in 2011,
Sarko and Cappio pointed out, so the company knows the risk it
faces from data breach cases.
The new complaint also asserts that Sony's vulnerability to
the hackers who stole its information this fall is all the more
egregious because the 2011 hack should have put the company on
notice.
The Keller Rohrback lawyers said they have heard from dozens
of current and former Sony employees but won't be surprised if
another plaintiffs' firm also brings a class action for
employees.
One final point: I asked Cappio whether Sony employment
contracts included clauses mandating arbitration of employee
claims. She very carefully answered that her firm was "unaware
of any arbitration contracts of adhesion that would in any way
affect the outcome of this litigation."
The complaint says that California's notification law
includes an anti-waiver provision.
A Sony representative declined a Reuters request for
comment.
