News & Resources

Publications & Media

“Sony lawsuits offer another warning to companies facing breaches”

Safe and Sound By Jennifer L. Rathburn

A third class action lawsuit was filed against Sony on Wednesday – two others were filed earlier this week – which claims the company didn’t protect employee information from being exposed in the hacking breach.

On a larger scale, these lawsuits bring up a potentially significant hurdle for companies that face a breach. As Wired reported: “It’s not unusual for companies that suffer breaches, like Sony and Target, to find themselves besieged by lawsuits, but ones filed by the individuals whose personal data is stolen rarely succeed. . . . and courts have thrown out the suits for lack of standing.”

The basis for these dismissals is typically that there is not sufficient immediate harm presented.

However, the U.S. District Court for the Northern District of California recently ruled against Adobe in a similar case, which may give Sony plaintiffs hope that they have a leg on which to stand.

The Court in the Adobe matter found that the threat of harm to personal data is “immediate and very real. . . . Indeed, the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. However, to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be ‘literally certain’ in order to constitute injury-in-fact.”

In other words, this Adobe case shows a potential shift in the judiciary’s viewpoint. The judiciary demonstrates a willingness to accept potential future harm as a sufficient reason to bring suit.

Fortunately, the current litigation trends are probably good news for employers because courts do not traditionally accept this reasoning. But, regardless of the success of these lawsuits, the cost to defend them can be significant; and, reputational harm can occur throughout the litigation process, creating impetus for companies to continue to look into its data security proactively.

A company that faces a security breach must not only deal with the immediate ramifications of the breach, but also may face potential legal action for the harm — or potential harm — its clients or employees may face.

The plaintiff’s bar is becoming savvier in crafting these cases. And courts are becoming more accepting of what constitutes harm. This is yet another reason why companies must take these breaches seriously and scrutinize their data and privacy systems before a breach happens — not after.