Because Sony’s former employees “face ongoing future vulnerability to identity theft” they can proceed with their class action, a California District Court ruled on Monday. The case, Corona v. Sony Pictures Entm’t, Inc., is linked to the North Korean hackers who tried to stop Sony from releasing the movie The Interview. It was filed less than a month after Sony became aware of the attack.
Relying on the Ninth Circuit’s decision in Krottner v. Starbucks, the court held that the plaintiffs have Article III standing because they alleged “a credible threat of real and immediate harm, or certainly impending injury.” “Plaintiffs have alleged that the PII [personally identifiable information] was stolen and posted on file-sharing websites for identity thieves to download … [and] that the information has been used to send emails threatening physical harm to employees and their families.” The court found that this alone was enough. Krottner has become the plaintiff’s darling of data security class actions for lowering what is needed to establish an injury-in-fact. There is a circuit split on the issue, though – the Third Circuit said Krottner was based on a “skimpy rationale,” while the Seventh Circuit has sided with the Ninth Circuit.
The District Court for the Central District of California also considered the plaintiffs’ various causes of action, rejecting their breach of contract and California Customer Records claims, but allowing several other counts to move forward, including their claim for negligence.
Sony argued that the plaintiffs could not establish a cognizable injury sufficient to move forward with the negligence claim. The plaintiffs argued that they incurred costs to monitor and to protect their credit. In order to determine whether those monitoring costs were compensable, the court listed five factors that it considered: 1) the significance and extent of the compromise to the plaintiffs’ PII; 2) the sensitivity of the compromised information; 3) the relative increase in the risk of identity theft; 4) the seriousness of the consequences resulting from identity theft; and 5) the objective value of early detection. The court found that it was reasonable and necessary for the plaintiffs to seek credit monitoring, because, among other things, “[i]t is commonly known that the consequences resulting from identity theft can be both serious and long-lasting.”