After a barrage of media coverage over the release of The Interview, Sony Pictures now finds itself in federal court defending against seven class action lawsuits filed less than a month after the North Korean government hacked its computer system. Sony became aware of this “unprecedented” attack, in which it reportedly lost over 100 terabytes of data, on the morning of November 24th. The first class action complaint, Corona v. Sony Pictures Entm’t, Inc., was filed on December 15, 2014 — two days later, the U.S. Government announced that North Korea perpetrated the cyber assault. The lead plaintiffs in Corona, both former employees of Sony, claim that the company ignored concerns about weaknesses in its data security that left the company vulnerable to attack. The plaintiffs in all seven class actions allege, among other things, general negligence and violations of various privacy statutes. They claim that they were injured when their personal information was stolen and posted online.
California is known to have some of the strongest privacy protection laws in the nation. But, the rest of the country isn’t lagging too far behind. Forty-seven states have security breach notification laws, including New Jersey, New York and Pennsylvania. There is legislation pending in these three states that relates to the penalties for failure to report a computer security breach (NJ A.B. 1329); the release of personal identifiable student information where parent consent is not provided (NY S.B. 5932); and new requirements that state agencies and municipalities provide notice of data breaches (PA H.B. 2167). Moreover, on January 12, 2015, the White House proposed new federal legislation, the Personal Data Notification & Protection Act, that would require “[a]ny business entity … that uses, accesses, transmits, stores, disposes of or collects … personally identifiable information about more than 10,000 individuals during any 12-month period [to] notify any individual whose … information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.” Sec. 101(a).
Target, Home Depot, and, most recently, Anthem, Inc. are also defending cyber-attack class actions. The trend is unsettling, and the constantly changing statutory landscape leaves companies vulnerable to complex, high-cost litigation. Understanding and complying with new and evolving regulations for reporting security breaches is critical, but it may not be enough. Sony, for instance, is accused of making “a valid business decision to accept” certain risks in its data security system. Similarly, the plaintiffs in the Target class action accuse the company of ignoring warning signs leading up to a massive data breach in 2013. Companies dealing with personal information must be proactive in maintaining strong security measures and regularly testing their system’s weaknesses. Additionally, it is important to train employees to recognize when a data breach has occurred, and to have a prepared response in place in an era of increasing risk.