Former Employees Are Suing Sony Over 'Epic Nightmare' Hack | WIRED

The plot of the Sony hack drama has taken a new turn.

Two former employees of Sony Pictures Entertainment filed a class-action lawsuit against the studio giant on Monday for failing to properly secure sensitive employee data.

The recent widespread breach of Sony has resulted in the theft and release of documents exposing Social Security numbers and birth dates of employees as well as information about medical conditions. The workers say the company had not only a duty to protect their data but a strict legal responsibility to secure medical information under California law.

Calling the breach an “epic nightmare, much better suited to a cinematic thriller than real life,” the plaintiffs also say that Sony failed to adequately notify former workers who may have been affected by the breach.

“Put simply, Sony knew about the risks it took with its past and current employees’ data,” the plaintiffs wrote in their suit. “Sony gambled, and its employees—past and current—lost.”

The two plaintiffs in the lawsuit, Michael Corona and Christina Mathis, worked at Sony from 2004 to 2007 and from 2000 to 2002 respectively. Both say their Social Security numbers were leaked, and Corona says his salary history and reason for resigning were also exposed.

Sony has been hacked before, which could help bolster the plaintiffs’ claims about lax security. In 2011, members of Anonymous and LulzSec tore through the company’s networks—first going after its PlayStation Network, where they stole data pertaining to more than 75 million customers. A second breach at Sony Online Entertainment compromised an additional 25 million customers. Sony Pictures and Sony BMG were also struck. Those breaches affected customers, not employees, but they work in the plaintiffs’ favor to show that Sony might have had ongoing security problems that it failed to fix.

Internal Sony documents leaked by the hackers in the current breach indicate that Sony’s security was still lax despite previous hacks. The leaks include data sheets listing servers holding unencrypted Social Security numbers and passwords for employees and others, as well as emails discussing a breach the company had in February that may or may not have been part of the wider breach exposed last month.

Sony breached its duty, according to the lawsuit by “failing to design and implement appropriate firewalls and computer systems, failing to properly and adequately encrypt data, losing control of and failing to timely re-gain control over Sony Network’s cryptographic keys, and improperly storing and retaining Plaintiffs’ and the other Class members’ [personally identifiable information] on its inadequately protected Network.”

Breach Lawsuits Rarely Succeed

It’s not unusual for companies that suffer breaches, like Sony and Target, to find themselves besieged by lawsuits, but ones filed by the individuals whose personal data is stolen rarely succeed. Generally these lawsuits have involved stolen credit cards that could result in fraudulent charges or the theft of personal information that puts the person at risk of identity theft, and courts have thrown out the suits for lack of standing. With banks assuming liability for fraudulent charges made to stolen bank card accounts, victims don’t have any damages they need to recover, and unless there is actual proof of identity theft, the mere potential for harm has been insufficient in most cases to successfully sue.

There’s an exception to this, however, that could help give the Sony lawsuit legs: a recent class-action suit around a breach at Adobe could prove useful for the Sony plaintiffs. In the Adobe case, a California court declined to throw out the suit, saying the plaintiffs had standing because they suffered an impending threat of harm, not merely the potential for harm, because their data had been posted online for anyone to grab and use.

“The [Adobe] case signals that the courts are ready to start … recognizing new types of harm that security breaches and inadequate security measures cause or trigger,” says Princeton law professor Andrea Matwyshyn. “We’re seeing courts more willing to entertain these kinds of lawsuits because the problems are real—particularly if you have evidence of a history of known security flaws that went unfixed a court would be more likely to consider a suit by employees or other harmed parties.”

Sony employees and former employees could argue they also suffer an impending threat, since their sensitive data has already been publicly released by the hackers. They would still have an uphill battle to prove harm, if they want damages, but it would provide them with an opportunity for discovery, which could further expose Sony’s bad security practices to the public.

“Sony gambled, and its employees—past and current—lost.”

But the Sony case may also have staying power that other cases have lacked because employers have a duty of care for their employees that goes beyond their duty to customers, Matwyshyn says.

“This is untested territory,” says Matwyshyn, a professor with Princeton’s Center for Information Technology Policy, “but employers are held to a higher standard of care with respect to the safety of their employees. Employers, for example, are responsible for providing a safe work environment of their employees and there are OSHA rules around the physical safety of employees. So it is arguably a natural extension that heightened levels of care would also extend to data management questions because of that trusted relationship.”

She’s not aware of other lawsuits involving public companies that are similar to the Sony case, saying this is a new area of litigation that is bound to grow, particularly as the kinds of records stolen change. Although Social Security numbers and financial records of employees are sensitive, the medical information involved in the Sony breach raises new questions that could affect other companies involved in breaches, she says. Sony is not a health-care facility or so-called “covered” entity as it’s defined under the federal statute HIPAA, and therefore is not subject to the same requirements for securing medical data that governs hospitals and doctors under that law, says Matwyshyn. But California has a medical records protection law that requires employers to secure employee medical records that would cover Sony. And, as an international company, Sony could also face problems in Europe where data-protection laws can be fierce.

Matwyshyn notes, also, that employees might not be Sony’s only worry when it comes to litigation over its breach. Other suits could follow from Sony business partners, shareholders, celebrities and others if they claim the release of emails exposing sensitive information about business deals and private matters caused them harm.

“We’re seeing the first traction of these types of embedded business relationships giving rise to data-breach litigation,” she says. “This will continue and that is the sort of situation that might have life [in a court].”

Sony could also face trouble with the Federal Trade Commission for deceptive trade practices, notes Brian Hall, a partner in the labor and employment department of the PorterWright law firm in Ohio. In 2012, the FTC filed a complaint against Wyndham Hotels for failing to protect consumer information.

If the FTC does get involved, it would put Sony’s security practices under heavy scrutiny. “They’re definitely going to start looking at Sony’s data security [practices]” if that’s the case, says Hall.

http://www.wired.com/2014/12/sony-getting-sued-former-employees-protecting-data/