Lessons from the Sony Hack: The Importance of a Data Breach Response Plan
In a decision emphasizing the need for employers to focus on data security, on June 15, 2015, the U.S. District Court for the Central District of California refused to dismiss a lawsuit filed by nine former employees of Sony Pictures Entertainment who allege the company’s negligence caused a massive data breach. Corona v. Sony Pictures Entm’t, Inc., Case No. 2:14-cv-09600 (C.D. Ca. June 15, 2015).
In November 2014, Sony was the victim of a cyber-attack, which has widely been reported as perpetrated by North Korean hackers in relation for “The Interview,” a Sony comedy parodying Kim Jong Un. According to the complaint in this case, the hackers stole nearly 100 terabytes of data, including sensitive personal information, such as financial, medical, and other personally identifiable information (“PII”), of at least 15,000 current and former Sony employees. The hackers then posted this information on the internet and used it to threaten individual victims and their families. The nine named plaintiffs purchased identity protection services and insurance, as well as took other measures, to protect their compromised PII.
The plaintiffs filed a class action lawsuit alleging Sony failed to implement and maintain adequate security measures to protect its employees’ PII, and then improperly waited at least three weeks to notify plaintiffs that their PII had been compromised. The plaintiffs asserted claims of negligence, breach of implied contract, and statutory violations of California, Virginia, and Colorado law.
Sony moved to dismiss the complaint. First, Sony argued that plaintiffs lacked standing because they had not alleged a current injury or a threatened injury that is currently impending. The court disagreed, concluding that the allegations of increased risk of future identity theft sufficiently established certainly impending injury.
Sony then challenged the viability of each claim. While the court dismissed certain of the claims, the court allowed the plaintiffs to proceed with their claims of negligence and violations of California’s Confidentiality of Medical Information Act and Unfair Competition Law. Key to the court’s decision on the negligence claim were its findings that (a) the costs plaintiffs incurred related to credit monitoring, identity theft protection, and penalties resulting from frozen credit constituted a cognizable injury, and (b) an exception to the economic loss doctrine applied because the parties had a “special relationship” whereby plaintiffs had to provide their PII to Sony in order to get paid and receive benefits.
Regarding the Confidentiality of Medical Information Act claim, the court found sufficient the allegations that Sony failed to maintain the confidentiality of the plaintiff’s medical information, which Sony has admitted included HIPAA-protected health information, and failed to institute reasonable safeguards to protect that information from unauthorized use.
While it remains to be seen whether the plaintiffs will prevail on any of their theories of recovery against Sony, this matter should be a lesson to companies that have not implemented appropriate data security measures more than just the loss of proprietary information. Employers have a duty to protect the personal sensitive information that they obtain from their employees, and the failure to take preventative measures may result in legal claims, reduction in employee morale, and loss of reputation.
Employers should begin by auditing their information technology infrastructure and network for security vulnerabilities. Any such audit should be done under the supervision of counsel to maintain the privilege and confidentiality of the audit. Based on that audit, employers should take steps to mitigate the vulnerabilities found to a reasonable and appropriate level given the threats to the organization. The Sony breach, like nearly all recent breaches, had an element of social engineering. To protect against these types of attacks employers should also train their workforces on information security best practices. Finally, employers should be prepared to respond to breaches when they occur. Employers should formulate and implement a breach response plan to minimize the time from the discovery of the compromise to the reporting of the incident to affected persons.
If a data breach does occur, the company should immediately execute the data breach response plan and quickly investigate the nature and scope of the data breach. A forensic review should be conducted using an IT specialist that can trace the origins of the breach. Employees and anyone affected should be notified so that they may take appropriate steps to prevent or limit identity theft and other damages. Employers also should consider proactively notifying the police to work with the local cyber-crimes unit, as well as filing a civil suit against the perpetrator(s) to obtain injunctive relief and reduce further damage. Appropriate legal counsel can assist in pursuing these options.