Just a few months ago, Sony Corp. announced a settlement that offered $15 million in free games and other services in response to a wave of claims involving a breach of consumer data of 77 million users of its PlayStation Network.
Legal experts say that the potential liability claims that Sony Pictures Entertainment faces as the result of the hack attack perpetrated by the so-call Guardians of Peace could be even more widespread and costly.
The exposure of everything from Social Security numbers, salaries, home addresses and passwords to deal information on major movie releases could invite a wide range of litigation. If hackers were able to obtain health-care information, that could even trigger health information privacy rules.
“It is a huge problem on so many fronts, from employees to talent to business partners to shareholders,” says Greg Aldisert, a partner at the Los Angeles firm of Kinsella, Weitzman, Iser, Kump & Aldisert. Ira Rothken, a Novato, Calif., attorney who represented one of the plaintiffs in the PlayStation litigation, says that as extensive and unprecedented as the breach is, it is wise to hold off on litigation until investigators come to some sort of conclusion, which may be months away.
“We need to get what the cause of the data breach was before we can determine if Sony has any liability for what I would call the ‘data security oil spill,’” he explains.
At the center of Sony’s potential liability is going to be whether the studio exercised “reasonable care” in protecting confidential or private information. The claim that the company failed to do that with its PlayStation consumer information was among the arguments in that class action litigation, even though the company denied it.
“These are basically negligence questions,” Aldisert says. “It is really hard to say without expert testimony about what is reasonable or what is enough protection.” He added that it likely would be a greater problem for Sony if the hacking was from a former employee, as opposed to being something more organized and nefarious. “Given the sophisticated nature of the hacking, it may be harder to say they didn’t use ordinary care,” he says.
In other words, Sony may be able to argue the unprecedented nature of the breach made it unforeseen.
Typical cyber-attack cases have dealt with hackers who are financially motivated, and who are attacking servers and obtaining financially related e-mails and addresses, Rothken says. In a way, that kind of attack is “much more benign,” he adds. “This current attack seems to be motivated by some sort of retaliation or ideology, where information was either destroyed or made public.”
But Rothken notes that a variety of laws would be in play in cases arising from this hack that haven’t been in play in cases involving consumers. “Notwithstanding the importance of technology and the Internet in modern business, there actually is a scarcity of case law in this area,” he adds.
While the potential claims of employees would delve into areas like privacy, Sony’s business partners, celebrities and their representatives, and even profit participants, could start lining up if it turns out the studio didn’t take reasonable safeguards to protect personal information.
Devin McRae, partner at the Los Angeles firm of Early, Sullivan, Wright, Gizer & McRae, says that there is also the potential for contract claims, such as violations of non-disclosure agreements, or breach of fiduciary duty to conceal highly sensitive data. Profit participants on movies that were exposed could try to prove that the breach diminished box office returns.
“Anybody who was hurt as a result of this could look at Sony and have a potential claim,” McRae says.
A challenge for plaintiffs who try to blame Sony over personal information being divulged is that they would have to prove damages such as identity theft were tied to the disclosure of that information, McRae notes. Sony has offered credit-monitoring services to minimize the potential for such damages.
And Sony could get “a large dose of corporate sympathy” if the manner and method of the security attack was unforeseen or deemed to be overly aggressive,” says Rothken, particularly if it turns out to have come from another country. There is serious speculation North Korea might be behind the hack, in retaliation for Sony’s upcoming comedy release “The Interview,” which stars Seth Rogen and James Franco as a pair of tabloid TV reporters recruited to assassinate the country’s dictator, Kim Jong-un.
But repercussions could extend beyond claims directly related to the hack attack. Disclosure of contract details and internal emails could have an impact on profit participation lawsuits, in which litigators may have a better sense of a studio’s business practices. The leaked information itself may not be admissible, but “the fact that you know where the bones are buried gives you a big advantage” in such litigation, Aldisert says.
“The fallout will go on for a long time,” he adds. “Whatever the data breaches were before, this is a much bigger scale and bigger problem for Sony.”