Sony Faces Data Breach Class Actions
Author: Marta Moakley, XpertHR Legal Editor
December 19, 2014
Sony Pictures Entertainment, Inc. became the subject of three proposed class action lawsuits this week. All three lawsuits relate to a breach of the corporation's computer systems that may have released tens of thousands of Social Security numbers and other confidential information to the general public.
Sony's recent woes span the legal liability spectrum from national security concerns to commercial contracts to employee class actions. National coverage of the breach has prompted White House Press Secretary Josh Earnest to weigh in on the matter.
The employee lawsuits were filed in quick succession. The first two actions, filed on December 15 and 16, respectively, were followed by a third proposed class action filed on December 17 - the same day Sony decided to cancel its Christmas Day release of the film at the center of the controversy, The Interview.
Michael Corona and Christina Mathis, both former employees of Sony, allege in their December 15 complaint that the company failed to address vulnerabilities to its systems following a separate 2011 data breach incident involving its PlayStation video game network. The next case was filed in state court by two former movie production workers (Susan Dukow and Yvonne Yaconelli) concerned that their sensitive financial and medical information was maintained by Sony for too long.
On December 17, Joshua Forster and Ella Carline Archibeque, also former employees of Sony, filed a complaint alleging violations of the following California statutes as well as a common law negligence claim:
- California Customer Records Act;
- Confidentiality of Medical Information Act; and
- Violation of the California Unfair Competition Law.
These former employees allege that the massive data breach resulted in the release of their:
- Names;
- Home and email addresses;
- Social Security numbers;
- Visa and passport numbers;
- Banking account routing information;
- Salary and retirement plan data; and
- Health and medical information.
Finally, the employees have alleged that Sony did not employ adequate record retention and destruction practices. In fact, personally identifiable employee information dating back to 1955 may have been misappropriated as a result of the breach.
Employers are subject to an array of requirements regarding confidential information under various federal and state laws. For example, an employer must comply with the confidentiality requirements of the Health Insurance Portability and Accountability Act (HIPAA) regarding protected health information.
Sony faces mounting liability risks from this breach. In addition to the lost revenues related to the film's cancelled release, possible lawsuit settlements and mounting negative reaction to leaked electronic information continue to threaten the corporation's bottom line.