Sony Pictures must continue to defend a lawsuit filed by nine former employees whose personal information was stolen from the studio during a cyberattack last fall, a federal court has ruled.
The former employees sued Sony in March, charging the company with negligence, breach of contract and violation of confidentiality laws in failing to safeguard medical, financial and other personally identifiable information that the attackers later posted online and traded via the Internet. The plaintiffs charge they’ve have had to subscribe to identity-protection and credit-monitoring services, obtain credit reports and incur costs resulting from freezes to their credit.
Sony asked the U.S. District Court in Los Angeles to dismiss the suit, alleging that the former employees failed to show injury sufficiently concrete to establish standing.
The court disagreed. “Here, plaintiffs have alleged that PII was stolen and posted on file-sharing websites for identity thieves to download,” wrote Judge Gary Klausner in a ruling released June 15. “Plaintiffs also allege that the information has been used to send emails threatening physical harm to employees and their families. These allegations alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.”
According to the court, the costs incurred by the former employees also satisfy the requirement for injury on which a claim of negligence depends, although Klausner sided with Sony and dismissed part of the lawsuit that charged the company with failing to notify the former employees of the breach in a timely fashion.
The plaintiffs also established that a so-called special relationship exists between a company and its employees that allows the employees to later hold the employer responsible for negligence and breach of contract. According to the plaintiffs, Sony failed to shore up systems that stored records for human resources despite experiencing data breaches in the past.
Klausner agreed, noting that “to receive such compensation and other benefits, Sony required plaintiffs to provide their PII, including names, addresses, Social Security number, medical information, and other personal information.”
Sony’s alleged failure to defend its systems against a cyberattack also allows the former employees to charge the company with violating a California law that obligates employers to safeguard employees’ medical information, the court ruled.