law firm data breaches

Data Breach Case Survives Rule 12 – Sony Employee Negligence Claims Still Kicking

Advertisement

A familiar refrain of some corporate clients discussing data breaches is: “We’re not a health care company. We also don’t process customer credit card transactions. We really don’t collect protected health information or personally identifiable information from customers in any way. Do we need to be worried about data breaches?” A June 15, 2015 decision from the U.S. Central District of California reaffirms that the answer is a resounding, unqualified YES for any company that has employees, which means almost any company of any kind, regardless of whether it provides health-care-related services or processes customer credit card transactions.

In Corona v. Sony Pictures Entertainment (14-CV-09600 RGK (Ex)), Judge Klausner handed Sony employees a significant victory, holding that their negligence and California Unfair Competition Law (Cal. Bus. & Prof. Code Sec. 17200, “UCL”) claims were viable. As with most Rule 12data breach class action challenges, Sony’s first line of attack was that the plaintiffs lacked Article III standing under the U.S. Constitution because they had suffered no “injury in fact.” The court disagreed, finding that the allegations that the protected health information (“PHI” such as medical information) and personally identifiable information (“PII” such as financial information) of the employees were posted on file-sharing websites for identity thieves to download, and that the employees had been threatened with physical harm by identity thieves were sufficient to state an injury in fact.

Advertisement

Sony also argued as to the negligence claims that the plaintiffs had failed to adequately allege the element of injury, and that the claims were barred by the economic loss doctrine. The court again disagreed, finding sufficient allegations of injury because of public disclosure of PII and PHI on file-sharing websites and that the economic loss doctrine did not bar the claims because a special relationship existed between the employees and Sony that required the plaintiffs to provide their PII and PHI to Sony in exchange for compensation and benefits.

The UCL claims likewise survived because of sufficient allegations of injury in fact, and the court deemed Sony’s attack on the injunctive and declaratory relief claims premature.

Advertisement

As to the other claims, the court dismissed the breach of implied contract claims with prejudice because there were no facts indicating that Sony intended to frustrate the common purpose of the employment agreements (employment in exchange for compensation and benefits). The court also dismissed the California Customer Records Act (Cal. Civ. Code Sec. 1798.80, et seq.) claims with prejudice because the statute was intended to protect customers, not employees, and there were no allegations that Sony had violated the statute as to customers. And the court dismissed, without prejudice, the Virginia and Colorado data breach notification statute (Va. Code Sec. 18.2-186.6(B), Colo. Rev. Stat. Ann. Sec. 6-1-716(2)) claims because the plaintiffs had not alleged any injury arising from the alleged untimely notification.

Advertisement

This decision once again highlights that data breach is a problem that affects virtually any corporation, regardless of the nature of its business, because to receive compensation and benefits, employees generally must share PII and PHI with the corporation (creating obligations for the corporation to protect and respond to any breach of that information). Potential data breach class action adversaries are not just external to the corporation. The claims can also come from insiders.

© 2015 Vedder Price

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.