Do Sony employees have the right to sue over data breach?

December 16, 2014

Sony’s headaches from the wholesale theft of its data worsened Tuesday when two former employees filed the first class action accusing the movie studio of failing to protect their confidential information. The former employees, represented by Keller Rohrback, allege that Sony was negligent for leaving its computer systems insufficiently shielded from hackers. They also claim Sony violated a California state law that requires employers to protect employees’ medical records, as well as California and Virginia state laws requiring companies to put out broad notifications when their data storage systems are breached. The complaint was filed in federal court in Los Angeles on behalf of thousands of current and former Sony employees and family members who, according to plaintiffs’ lawyer Gretchen Cappio, “are outraged their private information is floating around the Internet.”

The two former Sony employees who brought the case said in the complaint that they have already spent hundreds of dollars on services to protect thieves from using hacked information to steal their identities and ruin their credit ratings. Their lawyers told me that hackers have released so much and such specific personal information about Sony employees and their families – including Social Security and passport numbers, health records and addresses – that class members will have to monitor their credit and identities for years to come. Cappio said that the class has not put a dollar figure on damages, but the cost of minimizing the harm to Sony employees is “a very expensive proposition, both in time and money.”

For the class action to move forward, though, Sony employees will have to show not just that the hack poses a threat of injury but that they’ve actually been harmed by the release of their personal information or will suffer “certainly impending” harm. The U.S. Constitution’s provision on standing to sue in federal court requires that condition to be met, according to the U.S. Supreme Court’s 2013 ruling in Clapper v. Amnesty International, a case that addressed a challenge to wiretapping by the National Security Agency but has since become a powerful weapon for defendants in data breach class actions.

In more than a half-dozen cases against retailers whose customer information was hacked, federal judges have ruled that consumers couldn’t sue because, under Clapper, they hadn’t suffered an actual injury. (The retailer Target has made precisely that argument in a motion to dismiss a gigantic consumer data breach class action against it in Minneapolis federal court; the motion was argued earlier this month but hasn’t been decided.) From the time the Clapper decision came down from the Supreme Court, only one federal judge has disagreed with a data breach defendant’s narrow reading of what constitutes an injury to hacking victims, according to Westlaw.

That exception, though, is great case law for the Sony employees. In September, in In re Adobe Systems Privacy Litigation, U.S. District Judge Lucy Koh of San Jose refused to dismiss a data breach suit against Adobe, finding that the Supreme Court’s Clapper opinion didn’t really remake the law on constitutional standing. Koh said that Adobe customers whose data was exposed by hackers had suffered an actual injury from the risk their information would be misused. She also said that they had constitutional standing by virtue of the money they spent to mitigate the potential harm – a holding that other judges have found to be barred under Clapper.

According to Judge Koh, the appropriate precedent in the 9th U.S. Court of Appeals, even after the Clapper ruling, is a 2010 decision in Krottner v. Starbucks, which involved the theft of a laptop containing unencrypted information on nearly 100,000 Starbucks employees. The 9th Circuit in Krottner said that because the theft posed a “credible threat of real and immediate harm” to a class of Starbucks employees, those employees met constitutional requirements for standing. (The case was dismissed on other grounds.) Counsel for the class in the Starbucks case was Keller Rohrback, the same firm that filed Tuesday’s suit against Sony.

Keller lawyers Cappio and Lynn Sarko said that the threat to Sony employees is so serious that Sony shouldn’t even attempt to contest their constitutional standing to sue. “Are they really going to claim that the disclosure of personnel files and medication information is not a harm?” Sarko said. “I would be shocked if a judge were to find no injury. … And I think the public would be outraged.”

Sony paid $15 million last summer to settle a class action by PlayStation purchasers whose information was hacked in 2011, Sarko and Cappio pointed out, so the company knows the risk it faces from data breach cases. The new complaint also asserts that Sony’s vulnerability to the hackers who stole its information this fall is all the more egregious because the 2011 hack should have put the company on notice.

The Keller Rohrback lawyers said they have heard from dozens of current and former Sony employees but won’t be surprised if another plaintiffs’ firm also brings a class action for employees.

One final point: I asked Cappio whether Sony employment contracts included clauses mandating arbitration of employee claims. She very carefully answered that her firm was “unaware of any arbitration contracts of adhesion that would in any way affect the outcome of this litigation.” The complaint says that California’s notification law includes an anti-waiver provision.

A Sony representative declined a Reuters request for comment.

For more of my posts, please go to WestlawNext Practitioner Insights

Follow me on Twitter

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see