Sony data breach case: boundaries on liability becoming clearer

July 2, 2015

At the beginning of 2015, I asked whether defendants should start reassessing their risk in data breach class actions. I pointed out that plaintiffs had learned from a string of dismissals in which federal judges said they didn’t have constitutional standing to sue under the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Consumers suing Target, for instance, managed to keep their case alive by claiming they’d suffered the actual harm of unlawful charges on their accounts or restricted access to their funds. Similarly, financial institutions staved off the dismissal of their class action against Target with assertions based on their costs to replace customers’ compromised cards.

A ruling in June by U.S. District Judge R. Gary Klausner of Los Angeles in Sony employees’ data breach class action confirms that Clapper is no longer a silver bullet for defendants. Sony’s lawyers at Wilmer Cutler Pickering Hale & Dorr argued that the company’s current and former employees didn’t have constitutional standing to sue because they hadn’t suffered a real or certainly impending injury. Judge Klausner said the posting of their personal information on sites frequented by identity thieves was enough to establish a credible threat of harm.

That’s the bad news for data breach defendants. The good news, based on Klausner’s decision and a report by the employees’ expert economist is that the company’s potential exposure has a ceiling – and it’s not that high.

The judge restricted former employees’ claims to costs they have incurred to protect against identity theft, such as credit monitoring and password protection services and to statutory damages for Sony’s alleged failure to protect their confidential health records. According to the plaintiffs’ own expert, whose report was included in a motion for class certification filed Tuesday, their average outlay for credit protection is about $311. Statutory damages under California law for failing to safeguard health data are $1,000 per class member. The class includes “at least” 15,000 current and former Sony employees, according to Judge Klausner’s dismissal opinion. So, if you do the math, that’s about $20 million in exposure for Sony.

The economics expert also estimated that class members will have to spend another $700 or so to protect their credit in the next two years because Sony is only providing a year of credit monitoring. It’s not entire clear from my read of Judge Klausner’s dismissal ruling whether the class can claim these future expenses, but if they’re part of the calculation, Sony’s potential liability goes up to about $30.5 million. (The class can also recover attorneys’ fees and costs.)

That’s a lot of money, sure, but definitely a manageable amount for Sony, especially because it’s just a starting point for negotiations with plaintiffs’ lawyers, assuming the class size is about 15,000. Sony will surely argue that not every employee’s health information was compromised and that the average cost of credit monitoring is less than the class expert estimated.

The Sony case seems to exemplify the state-of-the-art of data breach litigation: Defendants can’t entirely escape liability but their exposure has clear boundaries. I’d bet that’s a tradeoff big companies will happily accept.

I left phone messages for Sony class counsel Matthew Preusch at Keller Rohrback and Daniel Girard at Girard Gibbs but didn’t hear back.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/