January 17, 2019

January 17, 2019

Subscribe to Latest Legal News and Analysis

January 16, 2019

Subscribe to Latest Legal News and Analysis

January 15, 2019

Subscribe to Latest Legal News and Analysis

January 14, 2019

Subscribe to Latest Legal News and Analysis

Lessons from the Sony Hack: The Importance of a Data Breach Response Plan

In a decision emphasizing the need for employers to focus on data security, on June 15, 2015, the U.S. District Court for the Central District of California refused to dismiss a lawsuit filed by nine former employees of Sony Pictures Entertainment who allege the company’s negligence caused a massive data breach.  Corona v. Sony Pictures Entm’t, Inc., Case No. 2:14-cv-09600 (C.D. Ca. June 15, 2015).

 

 

In November 2014, Sony was the victim of a cyber-attack, which has widely been reported as perpetrated by North Korean hackers in relation for “The Interview,” a Sony comedy parodying Kim Jong Un. According to the complaint in this case, the hackers stole nearly 100 terabytes of data, including sensitive personal information, such as financial, medical, and other personally identifiable information (“PII”), of at least 15,000 current and former Sony employees.  The hackers then posted this information on the internet and used it to threaten individual victims and their families.  The nine named plaintiffs purchased identity protection services and insurance, as well as took other measures, to protect their compromised PII.

The plaintiffs filed a class action lawsuit alleging Sony failed to implement and maintain adequate security measures to protect its employees’ PII, and then improperly waited at least three weeks to notify plaintiffs that their PII had been compromised.  The plaintiffs asserted claims of negligence, breach of implied contract, and statutory violations of California, Virginia, and Colorado law.

Sony moved to dismiss the complaint.  First, Sony argued that plaintiffs lacked standing because they had not alleged a current injury or a threatened injury that is currently impending.  The court disagreed, concluding that the allegations of increased risk of future identity theft sufficiently established certainly impending injury.

Sony then challenged the viability of each claim.  While the court dismissed certain of the claims, the court allowed the plaintiffs to proceed with their claims of negligence and violations of California’s Confidentiality of Medical Information Act and Unfair Competition Law.  Key to the court’s decision on the negligence claim were its findings that (a) the costs plaintiffs incurred related to credit monitoring, identity theft protection, and penalties resulting from frozen credit constituted a cognizable injury, and (b) an exception to the economic loss doctrine applied because the parties had a “special relationship” whereby plaintiffs had to provide their PII to Sony in order to get paid and receive benefits.

Regarding the Confidentiality of Medical Information Act claim, the court found sufficient the allegations that Sony failed to maintain the confidentiality of the plaintiff’s medical information, which Sony has admitted included HIPAA-protected health information, and failed to institute reasonable safeguards to protect that information from unauthorized use.

While it remains to be seen whether the plaintiffs will prevail on any of their theories of recovery against Sony, this matter should be a lesson to companies that have not implemented appropriate data security measures more than just the loss of proprietary information.  Employers have a duty to protect the personal sensitive information that they obtain from their employees, and the failure to take preventative measures may result in legal claims, reduction in employee morale, and loss of reputation.

Employers should begin by auditing their information technology infrastructure and network for security vulnerabilities.  Any such audit should be done under the supervision of counsel to maintain the privilege and confidentiality of the audit.  Based on that audit, employers should take steps to mitigate the vulnerabilities found to a reasonable and appropriate level given the threats to the organization.  The Sony breach, like nearly all recent breaches, had an element of social engineering. To protect against these types of attacks employers should also train their workforces on information security best practices.  Finally, employers should be prepared to respond to breaches when they occur.  Employers should formulate and implement a breach response plan to minimize the time from the discovery of the compromise to the reporting of the incident to affected persons.

If a data breach does occur, the company should immediately execute the data breach response plan and quickly investigate the nature and scope of the data breach.  A forensic review should be conducted using an IT specialist that can trace the origins of the breach.  Employees and anyone affected should be notified so that they may take appropriate steps to prevent or limit identity theft and other damages.  Employers also should consider proactively notifying the police to work with the local cyber-crimes unit, as well as filing a civil suit against the perpetrator(s) to obtain injunctive relief and reduce further damage.  Appropriate legal counsel can assist in pursuing these options.

 

 

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Nathaniel M. Glasser, Epstein Becker, Labor, Employment Attorney, Publishing
Member

NATHANIEL M. GLASSER is a Member of the Firm in the Labor and Employment practice, in the Washington, DC, office of Epstein Becker Green. His practice focuses on the representation of leading companies and firms, including publishing and media companies, financial services institutions, and law firms, in all areas of labor and employment relations.

Mr. Glasser’s experience includes:

  • Defending clients in employment litigation, from single-plaintiff to class action disputes,...

202-861-1863
Michelle Capezza, epstein becker green, New York, employee benefits
Member

MICHELLE CAPEZZA is a Member of Epstein Becker Green in the Employee Benefits and Health Care and Life Sciences practices, and co-leads the Technology, Media, and Telecommunications strategic industry group. She practices law in the areas of ERISA, employee benefits, and executive compensation. Ms. Capezza has more than 18 years of experience representing a range of clients in these types of matters, from Fortune 500 companies and multinational corporations to non-profit entities, medium-sized businesses, and individual executives. Ms. Capezza provides counsel on qualified retirement plans, ERISA fiduciary responsibilities, nonqualified deferred compensation arrangements, employee welfare benefit plans, equity/incentive programs, and benefits issues that arise in corporate transactions, across various industries including financial services, health care, technology, media, telecommunications, hospitality, and retail.

212-351-4774
Ian Carleton Schaefer, Technology Practice Group, Epstein Becker,
Member

IAN CARLETON SCHAEFER is a Member of the Firm in the Labor and Employment practice, in the New York office of Epstein Becker Green. He co-leads the Technology, Media, and Telecommunications ("TMT") strategic industry group and serves as co-editor of the Technology Employment Law blog. Named to the New York Metro Rising Stars list (2011, 2013, 2014) in the area of Employment & Labor, Mr. Schaefer provides a practical and results-driven approach to counseling and defending employers on the full spectrum of employment issues. He has...

212-351-4787