skip to main content

Will Sony Be Liable For Its Data Breach?

Eight class action lawsuits have been filed since the disclosure that the personal information of 47,000 Sony employees was breached.  The hackers have not been confirmed, despite claims that the North Korean government was behind the attack.  Yet the lawsuits are not targeting the hackers—they target Sony.

In general, the different lawsuits allege that Sony did not do enough to safeguard the personal information of its employees.  More specifically, the plaintiffs allege a variety of legal claims, ranging from negligence to violations of California's Confidentiality of Medical Information statute.  If the employees prevail, they might be entitled to tens of millions of dollars in damages.

As support for the claim that Sony was lax in its security protocols, plaintiffs have cited an April 2011 hacking incident.  During that breach, 77 million users' data were stolen from Sony's PlayStation Network.  The lawsuits also cite several e-mails, which the hackers had leaked, that discuss other Sony cybersecurity vulnerabilities.  This prior breach and these e-mails provide the plaintiffs with evidence that Sony has not been as vigilant on cybersecurity matters as it could have been.   

What makes this case different from some of the other, recent cyber-attacks is that this situation deals with the breach of employee information.  The Target and Home Depot attacks compromised the credit cards of its customers.  Here, Sony employees had more sensitive information disclosed, including Social Security numbers, bank account numbers, health care information, and salary histories.  There are both Federal and state statutes that prohibit the disclosure of health care information.  If in fact Sony has breached these statutes, even if it did not do so intentionally, this means that Sony's liability is greater than those companies who had their customers' credit cards breached.

These lawsuits and the others have spurred many corporate advisers to call for companies to analyze their cybersecurity vulnerabilities.  In fact, some have said that CEOs and Boards of Directors need to recognize that oversight of cybersecurity risks is part of their fiduciary duties.  In furtherance of these duties, they argue, management should draft and enforce policies on cybersecurity issues.

If your business has not considered its cybersecurity vulnerabilities, then it should.  Due to the evolving nature of cybersecurity threats, it may not be a matter of if you get hacked, but when you will get hacked.  When you do get hacked, you want to be able to defend against the lawsuits by proving that you had done everything in your power to properly withstand and respond to a cyber-breach.

If you need assistance in determining how to best protect against and respond to a cyber-attack, contact a member of MacDonald Illig's Emerging Technologies Practice Group.  Also, if you know of someone who might be interested in receiving these weekly alerts, have them contact to be added to the distribution list.