Nine former Sony employees have filed an amended class action lawsuit against Sony Pictures Entertainment, alleging that the studio failed to take adequate safeguards to protect personal information that was exposed in the hacking attack last year.
“Following the breach, SPE has focused on its own remediation efforts, not on protecting employees’ sensitive records or minimizing the harm to its employees and their families,” states the amended complaint, filed on Monday in U.S. District Court in Los Angeles. “Rather, SPE has focused on securing its own intellectual property from pirates and a public relations campaign directed at controlling damage to SPE associated with the release of embarrassing internal emails.”
The lawsuit is similar to individual suits filed by the nine ex-employees in December and January, albeit going into additional detail about the breach. The plaintiffs claim that the hacking has left them vulnerable to identity theft, tax fraud, and financial theft because their Social Security numbers and other information has been made “publicly available to anyone with an Internet connection.”
The class action asks the court to require SPE to “implement and maintain security practices to comply with regulations designed to prevent and remedy these types of breaches,” as well as restitution and damages.
A spokeswoman for SPE did not immediately respond to a request for comment.
Among other things, the lawsuit points to reports that the breach exposed more than 47,000 Social Security numbers, including 15,200 from current and former employees. Some of the employees last worked at the studio as long ago as 1955, the suit claims, raising concerns about data retention policies.
It also points to reports that the initial leak included a spreadsheet that listed the names, birthdates and Social Security numbers of 3,803 employees. And it contends that hackers used the stolen data to threaten employees and their families with physical harm.
The lawsuit contends that the studio’s security practices fell below “prudent industry standards.” It cites, among other things, an audit by PricewatershouseCoopers in September 2014 that found gaps in the company’s monitoring of its systems. It also claims that SPE has yet to notify all of its former employees about the breach and the extent of their data that was exposed.
Last month, SPE’s legal team responded to the first lawsuit filed related to the hacking attack, a claim from exeployees Michael Corona and Christina Mathis. The studio said that the breach was “massive and unprecedented,” but also claimed that the plaintiffs did not having standing.
“There are no allegations of identity theft, no allegations of fraudulent charges, and no allegations of misappropriation of medical information,” Sony said in a brief filed in U.S. District Court in Los Angeles. “Instead, the plaintiffs assert a broad range of common-law and statutory cases of action based on their alleged fear of an increased risk of future harm, as well as expenses they claim to have incurred to prevent that future harm.”
Sony contends that the plaintiffs fall short of the requirement that they suffer “some concrete and particularized injury” before a lawsuit is filed.
In the amended complaint, Corona contends that he has incurred out-of-pocket costs of $700 per year in identity theft protection, which thwarted an attempt by an identity thief to open a new bank account. Mathis claims that she incurred costs of $300. Although Sony has offered identity theft protection to employees and ex-employees for 12 months, she claims that she will spend time and money for the rest of her life trying to contain the impact of the data breach.