Lieff Cabraser Civil Justice Blog

Suit Against Sony for Failure to Safeguard Confidential Employee Data Advances

This week U.S. District Judge R. Gary Klausner held that employees of Sony Pictures Entertainment Inc, whose personal information was exposed in last year’s well publicized data breach may bring claims against Sony for its alleged failure to take reasonable steps to secure the information.

In rejecting Sony’s motion to dismiss the core allegations of the lawsuit, the Court stated, “It is reasonable to infer that the data breach and resulting publication of plaintiffs’ [personal identifying information] has drastically increased their risk of identity theft, relative to both the time period before the breach, as well as to the risk born by the general public.” The Court added, “It is commonly known that the consequences resulting from identity theft can be both serious and long-lasting.”

“We are pleased that the court has properly recognized the harm to Sony’s employees resulting from their private information escaping their employer’s protection,” stated Lieff Cabraser attorney Michael W. Sobol, who serves as plaintiffs’ Co-Lead Counsel.

The complaint charges that Sony owed a duty to take reasonable steps to secure the data of its employees, and that Sony breached this duty by failing to properly invest in adequate IT security, despite receiving numerous warnings about security gaps and despite having already succumbed to multiple prior breaches, including one of the largest data breaches in history only three years ago.

In late 2014, the personal identifiable information of thousands of current and former Sony employees and their families was obtained and published on websites across the Internet. Among the staggering array of personally identifiable information compromised were medical records, Social Security Numbers, birth dates, personal emails, home addresses, salaries, tax information, employee evaluations, disciplinary actions, criminal background checks, severance packages, and family medical histories.

As alleged in the complaint, much of this personal information was posted on file-sharing websites for identity thieves to download. In addition, the information has been used to send emails threatening physical harm to employees and their families.