US Judge rules former Sony employees can sue over data breach

A Californian federal judge ruled on Monday that former employees of Sony Pictures Entertainment can sue the company as a consequence of last year's data breach, which resulted in the loss of personally identifiable information, such as social security numbers and medical records.

Sony has faced numerous lawsuits after its mammoth data breach late last year – which the FBI has publicly blamed on North Korea. Legal actions were filed in December and January but have now been filed into a single federal action. This alleged that Sony was negligent in not maintaining adequate security to stop hackers from accessing company systems, including salaries, health data, emails and other sensitive information.

The company tried to put an end the lawsuit, by arguing the plaintiffs hadn't received any alleged physical harm, damaged property or other specific injuries. But Klauser, who did reject some of the claims put forward by the plaintiffs, instead ruled that the complaint had good enough grounding to move it on to its next stage.

He writes that the allegations of stolen personally identifiable information (PII), posted on file-sharing websites for identity thieves to download, and that this information has been used to send threatening emails "alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury."

He also agreed to plaintiff's allegations that costs of credit monitoring, password protection, and more have already been incurred to deal with heightened risk.

"Californian courts have not considered whether, in the context of data breach cases, costs relating to credit monitoring or other prophylactic measures sufficiently support a negligence claim," he wrote. "Upon review of the allegations, the Court finds that the Complaint sufficiently alleges facts to support the reasonableness and necessity of Plaintiffs' credit monitoring."

The judge dismissed the portion of the lawsuit dealing with Sony's alleged failure to notify its ex-employees of the data breach in a timely fashion. Nevertheless, he does allow the negligence claim to go beyond the injuries sustained by ex-employees needing to purchase identity theft protection by accepting that the plaintiffs enjoyed a special relationship with Sony and the negligence claim should include the allegation Sony failed to maintain adequate security measures.

Elsewhere in the decision, Sony is still facing potential liability for failing to maintain the confidentiality of former employees' medical information. A claim under California's health privacy law continues, as does a separate claim which was that Sony has violated California's Unfair Competition Law.

The case in question is Corona v. Sony Pictures Entertainment Inc., 14-CV-09600, US District Court, Central District of California (Los Angeles).