Unless you’ve been hiding under a rock recently, you’ll have heard about the ongoing tension between the United States and North Korea over a massive hack suffered by Sony. As the war of words increases (and debate continues over whether The Interview, the somewhat controversial movie that began it all, should be shown) one group of people are already taking action: employees of Sony whose personal information, including Social Security numbers, was stolen and shared online. The company’s now been hit with six class action lawsuits, all claiming that inadequate protections were in place to protect private data. Although the intentions of the as-yet-unidentified hackers was to halt screenings of The Interview, Sony workers have found themselves caught up in the controversy, with salary histories and bank account numbers also stolen and released online.
Sony hack – what was stolen?
Amid the release of embarrassing emails from Sony executives criticizing Hollywood stars and critiquing their own movies, it became clear that hackers had managed to steal files containing workers’ bank account numbers, health insurance information, salary histories and Social Security numbers. This includes an estimated 47,000 freelance workers, as well as some more famous names.
How was it stolen?
The FBI is still investigating just how hackers – who the U.S. government has now officially linked to North Korea – managed to so successfully get access to Sony’s networks, but it seems fairly certain that Sony failed to address security issues it had already been warned about. In emails leaked by the hackers themselves, Sony executives discuss a September 2014 security audit that found serious weaknesses in the system. This included master lists of passwords stored in files named “PASSWORD,” as well as various other issues. One of the reasons class action lawsuits have been filed is because Sony allegedly had advanced warning that its IT was vulnerable and failed in its duty to protect its employees’ data. One suit, filed this week, puts it bluntly:
“[Sony's duty to protect its employees' information is the same] regardless of the identity of the hackers or cybercriminals, even if, as some recent press reports indicate, they act at the direction of a foreign government."
One of the first lawsuits filed against Sony over the hack recalls a data breach in April of 2011 in which 77 million Sony PlayStation users had their data stolen. This, lawyers say, shows that Sony has long had problems with its security – but has also been given sufficient time to fix them.
What laws do the suits claim were broken?
The six class action lawsuits filed (so far) allege a variety of violations under both California and federal law. These include negligence; invasion of privacy; violations of the Fair Credit and Reporting Act; negligent hiring and supervision of security personnel; and violations of California’s Data Breach Act, Confidentiality of Medical Information Act, Customer Records Act, and Unfair Competition Law.
- The first suit filed on behalf of plaintiffs Michael Corona and Christina Mathis estimates 15,000 Sony workers are affected by the claims.
- The second suit, filed on behalf of Susan Dukow and Yvonne Yaconelli, goes further and places blame for the hack on Sony’s decision to support The Interview despite its controversial plot. The lawsuit seeks to represent all former and current Sony employees whose data was exposed (around 47,000 people).
- The third lawsuit was filed by plaintiffs Joshua Forster and Ella Carline Archibeque and seeks damages of at least $5 million for violations of California law.
- The fourth suit, filed on behalf of Michael Levine and Lionel Felix, alleges invasion of privacy and bailment – a legal term referring to the transfer of property (in this case, the data) without proper authorization.
- The fifth suit, filed on behalf of Marcela Bailey, seeks to represent freelancers.
- The sixth and latest suit, filed by Steven Shapiro, was filed in California and again alleges violations of state privacy laws.
What happens now?
It’s not certain, but it’s likely the suits will be consolidated into one multidistrict litigation. This would make it easier for the courts to handle the large number of class members and streamline any eventual settlement or judgment. Of course, it’s not possible to say for sure what will happen next. Although data breach lawsuits are nothing new (a judge ruled just this week that consumers will be able to sue Target Corp. over the 2013 data breach that left millions of customers’ data exposed), Sony’s case is different. The political landscape is still too unsettled to know how things will turn out, and – although the released of personal data is hugely problematic – Sony, in many ways, has bigger problems to focus on.
Whatever happens, it’s a safe bet that Sony and other companies will be implementing much better security from now on. Employees are also likely to demand better protection for their personal information before handing it over to large companies – and that’s a good thing. The more informed you are about how and why your personal information is protected, the better companies will get at ensuring leaks like this don’t happen again.