Moves to dismiss a class action suit against Sony Pictures Entertainment have failed and the case, initially filed on 2 March 2015, will continue with nine plaintiffs suing the company in the wake of the security breach in which Sony's information technology infrastructure and network were hacked.
Sensitive personal data of at least 15,000 former and current Sony employees were stolen. “The information included financial, medical and other personally identifiable information (PII), was used to threaten the individual victims and their families, and was posted on the internet,” said Judge Klausner of the US District Court.
The plaintiffs, who are all former employees of Sony, cited these claims:
negligence, breach of implied contract, violation of the California Customer Records Act, violation of the California Confidentiality of Medical Information Act, violation of the Unfair Competition Law, Declaratory Judgment, violation of Virginia Code § 18.2-186.6 and violation of Colorado revised statutes § 6-1-716.
Judge Klausner stated, “The[se factual allegations] alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.”
On 5 June, the court granted a motion to dismiss the case but only in part, allowing progress to trial.
Many press accounts attributed the Sony hack to North Korea, seemingly a response to the release of the movie “The Interview”, thought to be offensive by the country and its leaders. Others suggested that the motive was purely financial, making a non-state actor more likely.
Sony argued that the plaintiffs endured no current or threatened injury that is impending, but the court rejected those arguments.
The court rejected the negligence claim of the plaintiffs due to a failure to notify them of the security breach in time. However, the claim was admitted to continue on the basis of Sony's “alleged breach of duty to maintain adequate security measures.”
The plaintiffs argued that by hiring and paying them there came about an implied contract to protect their data. The court clashed with this argument and granted Sony's motion to dismiss to that cause of action.
The court granted Sony's motion to dismiss to an alleged violation of the California Records Act, but they found that under the California Confidentiality of Medical Information Act that the plaintiffs could proceed, as no formal disclosure was required of Sony. The Act requires each employer that receives medical information to establish appropriate procedures to ensure confidentiality and protection from unauthorised use and disclosure of the information.
The motion to dismiss was denied under the Unfair Competition allegations of the plaintiffs but granted as to alleged violations of the Virginia Code. Lead plaintiff, Michael Corona, a Virginia resident, “discovered an unencrypted spreadsheet containing his [personal information] online, before he received any notification from Sony, and before he had an opportunity to obtain identity protection services.”
Motion to dismiss was granted as to violation of Colorado's Consumer Protection Act, due to there being no private right to sue under the statute. The state's attorney general is the only one to keep such an action.
The court failed to hinder the plaintiffs from pursuing injunctive and declaratory relief.