On December 15, 2014, two former employees, Michael Corona and Christina Mathis, filed a lawsuit against Sony Pictures Entertainment, Inc. See Complaint, Michael Corona et al v. Sony Pictures Entertainment, Inc. The Complaint initiating the lawsuit properly alleged the facts required to prove a negligence claim based on the theory that Sony negligently failed to protect the plaintiffs against the foreseeable and preventable data breach and the plaintiffs suffered harm as a proximate result.
The Negligence Theory
To prove their negligence claim, the plaintiffs must prove four elements: (1) Sony owed them a duty; (2) Sony breached that duty; (3) the plaintiffs suffered damages; and (4) Sony’s breach of its duty to the plaintiffs proximately caused their damages.
Allegations 99 through 103 of the Complaint, if true, prove the defendant owed the plaintiffs a duty of care. For instance, Allegation 99 states:
Defendant owed a duty to the Class to exercise reasonable care in obtaining, securing, safeguarding, deleting and protecting Plaintiffs’ and the Class’ [Private Identifying Information] within its possession or control from being compromised, lost, stolen, accessed and misused by unauthorized persons. This duty included, among other things, designing, maintaining and testing Sony’s security systems to ensure that Plaintiffs’ and Class members’ PII in Sony’s possession was adequately secured and protected. Sony further owed a duty to Plaintiffs and the Class to implement processes that would detect a breach of its security system in a timely manner and to timely act upon warning and alerts including those generated by its own security systems.
This allegation, if true, proves Sony owed at least four duties to the plaintiffs. The first duty was to design, maintain, and test security systems that would protect against foreseeable and preventable hacking. The second duty was to make sure the PII with which it was entrusted was adequately secured and protected against foreseeable and preventable hacking. The third duty was to implement processes that would enable Sony to detect foreseeable breaches of its security systems in a reasonable amount of time. The fourth duty was to reasonably respond to the warnings and alerts that its security systems generated.
Allegations 104 through 107, if true, prove Sony breached the duty of care it owed the plaintiffs. For instance, Allegation 106 states:
Through its acts and omissions described herein, Sony unlawfully breached its duty to use reasonable care to protect and secure Plaintiffs’ and the Class’ PII within its possession or control. More specifically, Defendant failed to maintain a number of reasonable security procedures and practices designed to protect the PII of Plaintiffs and the Class, including, but not limited to, establishing and maintaining industry-standard systems to safeguard its current and former employees’ PII. Given the risk involved and the amount of data at issue, Sony’s breach of its duties was entirely unreasonable.
(3) Damages and (4) Causation
Allegation 108, if true, proves Sony’s negligence caused the plaintiffs to suffer calculable economic damages. It states:
As a direct and proximate result of Defendant’s breach of its duties, Plaintiffs and members of the Class have been harmed by the release of their PII, causing them to expend personal income on credit monitoring services and putting them at an increased risk of identity theft. Plaintiffs and members of the Class have spent time and money to protect themselves as a result of Defendant’s conduct, and will continue to be required to spend time and money protecting themselves, their identities, their credit, and their reputations.
Sony will likely argue that the plaintiffs failed to state a viable claim for negligence. It might even file a motion to dismiss pursuant to Rule 12(b)(6), Federal Rules of Civil Procedure. That motion to dismiss should fail for the reasons explained below.
Sony might attack the duty element. Sony only owed the plaintiffs a duty to protect them against foreseeable and preventable harm. Sony could (and should) agree that it owed the plaintiffs a duty to keep their PII safe from foreseeable and preventable hacking attempts. Sony could (but shouldn’t) then argue that the hack was neither foreseeable nor preventable. If Sony can prove the data breach was not foreseeable or not preventable, it might prove that it owed the plaintiffs no duty to protect them from this unfortunate but unforeseeable and unpreventable data breach. This argument should fail. The security breach was probably foreseeable and preventable.
Sony can attack the breach element. It could argue that its security systems met or exceeded industry standards, its security systems complied with all applicable laws, or its security systems performed in accordance with the express or implied promises it made to the plaintiffs. This argument will require expert witnesses to weigh in. The plaintiffs will be able to find credible experts who will opine that Sony’s security systems fell below industry standards or failed to comply with applicable laws. Sony will find credible experts who will opine the opposite. If Sony owed the plaintiffs a duty, then the negligence claim will probably not be dismissed on the grounds that Sony did not breach its duty. Whether Sony breached its duty will be a question of fact that the parties’ experts will help the court or the jury answer later.
Sony can attack the damages element. Had the plaintiffs failed to allege the negligent data breach caused them specific economic damages, Sony would have had a good chance to get the claim dismissed based on the plaintiffs’ failure to plead proof of damages. Some data breach lawsuits have failed because courts determined the plaintiffs failed to allege facts that could prove they suffered calculable economic damages. Some courts reasoned there could be no reliable proof of economic harm before there was actual proof that identity theft occurred. It has been difficult for data breach plaintiffs to prove, without resorting to speculation, that they were more likely to become identity theft victims solely because their PII had been hacked. Esoteric arguments can be made that data breach victims are more likely to suffer future economic harm than people who are not data breach victims and this change in their status from non-data-breached to data-breached is enough to prove they are entitled to economic damages. But esoteric arguments rarely find traction in busy trial courts.
The plaintiffs in this lawsuit pleaded negligence correctly. They included allegations that support their claims for calculable, non-speculative economic damages. They alleged Sony’s negligence caused them to purchase credit monitoring services they would not have purchased but for Sony’s negligence. Most people do not purchase credit monitoring services. The plaintiffs, like most people, should not have reasonably perceived a need to purchase credit monitoring services before they were informed that their PII was hacked. After they were informed their PII was hacked, it became reasonable for them to try to protect themselves against foreseeable identity theft damages by purchasing credit monitoring services. Had they failed to promptly purchase credit monitoring services after learning their PII was hacked and then suffered substantial economic damages due to identity theft, some of the damages they would have suffered due to the identity theft would have arguably been their fault. Their failure to take reasonable steps to mitigate their foreseeable and preventable identity theft damages after being informed their PII had been hacked would arguably be a proximate cause of their identity theft damages.
By Ed Hopkins, HopkinsWay PLLC. | © HopkinsWay PLLC 2014. All rights reserved.