Sony’s “business decision” greenlights data breach class action
The former Sony employees alleged two separate bases for their negligence claim:
- That Sony breached a duty to implement and maintain adequate security measures to safeguard their personal information; and
- That Sony breached a duty to notify them of the security breach.
The news is not all bad for defendants. The court rejected the theory of liability that relied on characterizing personal information as property of the employees (a theory of liability that plaintiffs have pursued in other cases). The court also rejected certain categories of claimed damages such as lost productivity, finding that allegations of future harm or increased risk of harm are too speculative to support a negligence claim.
Nonetheless, the court agreed with the former employees that they had alleged a cognizable injury in the form of costs already incurred for credit monitoring, costs incurred as a result of credit freezes, and related items. As these forms of harm are likely to be suffered in the event of any data security breach, the court’s ruling suggests that business entities that are sued for negligence are unlikely to prevail by arguing that no concrete injury has occurred. Instead, the salient issue is likely to be simply whether the defendant entity has done enough on the front end to implement adequate safeguards against the inevitable security breach.
As the court’s ruling demonstrates, even post-breach compliance with applicable notification statutes will not suffice to avoid liability where the entity whose security was breached failed to invest adequately in cybersecurity technology before the occurrence of a breach. Employers and other business entities would be wise to heed the court’s words of caution when making their “business decisions” and to allocate sufficient resources to strengthen their cybersecurity systems.