Based on a recent article published by the Chicago Tribune, it appears that the tide of inevitable lawsuits associated with Sony’s data breach recently started to wash across the country. The Tribune reports that at least 25 lawsuits have been filed in U.S. federal courts following the hacker attack and data breach at Sony’s PlayStation and Qriocity Networks. The lawsuits accuse Sony of negligence and breach of contract for allowing the personal data of more than100 million network subscribers to be compromised and stolen. Moreover, the article suggests that Sony now acknowledges that whoever hacked into their networks may have gained access to approximately 12.3 million credit card numbers, a statistic that Sony had not previously owned up to.
Citing language typical for such claims, one lawsuit reads, “had Sony properly secured its database through known and available encryption methods, even if a hacker were able to enter the network, he would be limited in his ability to inflict harm.” Judges are just beginning to address the issue of whether the loss of personally identified information (PII) represents a loss in and of itself, or whether plaintiffs mush show that they suffered additional damages due to an attack.
Last month, U.S. District Court Phyllis Hamilton declined to dismiss a proposed class action involving a 2009 data breach at RockYou, a company that develops social networking applications. Hearing the issue in Oakland, California, Judge Hamilton found that the plaintiffs’ allegations were sufficient to allow the lawsuit to move forward, but ruled that the case will ultimately fail in the event the plaintiffs are unable to demonstrate tangible harm stemming from the breach. It does not appear that Judge Hamilton’s ruling deterred the plaintiffs’ bar, as Ira Rothken, a San Francisco-based lawyer who handles privacy class actions noted that he expects data breaches to grow in the future. Rothken moved to consolidate all the Sony lawsuits in the District Court for the Northern District of California on Monday. Nonetheless, despite expanding data breach litigation, internet privacy lawsuits do not yield the large settlements that are traditionally associated with classic securities fraud litigation. In the case at bar, the fact that Sony already offered its customers complementary enrollment in an identity theft protection plan should act to minimize realized losses.
