The U.S. District Court for the Central District of California recently granted, only in part, a motion to dismiss a data breach class action against Sony Pictures Entertainment, Inc. (“Sony”) in Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK) (C.D. Cal. June 15, 2015). The case therefore will proceed with some of the claims intact.
The litigation arose from a security breach at Sony where the sensitive and personal information of at least 15,000 former and current Sony employees was stolen. The putative class alleged: (1) negligence; (2) breach of implied contract; (3) violation of the California Customer Records Act; (4) violation of the California Confidentiality of Medical Information Act; (5) violation of the Unfair Competition Law; (6) declaratory judgment; (7) violation of Virginia Code §18.2‑186.6; and (8) violation of Colorado Revised Statutes § 6-1-716. Sony moved to dismiss for lack of Article III standing under Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6).
Rule 12(b)(1) standing challenge rejected. Of all the federal circuits, data breach litigants currently are more likely to weather a standing attack in the Ninth Circuit. The Sony case was no exception. It cited to Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), to support its standing analysis. This is notable because district courts in the Ninth Circuit often do not treat Krottner as being overruled by the later-decided standing opinion of the Supreme Court of the United States in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). E.g., In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) (finding sufficient standing allegations even when plaintiffs did not establish that hackers used their information).
Under Krottner, the Sony court quickly found that the plaintiffs had properly alleged sufficient facts to establish Article III standing and disagreed with Sony that allegations of either “a current injury or a threatened injury that is certainly impending” were lacking. The court held that the personally identifiable information (“PII”) was stolen and posted on file-sharing websites for identity thieves to download, and that the PII was used to send threatening e-mails to employees and their families. The court stated, “These allegations alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.”
Rule 12(b)(6) challenges were both granted and denied.
- Claims that survived — The court found that allegations of “future harm or an increased risk in harm that has not yet occurred” do not demonstrate a cognizable injury to support a negligence claim arising from an alleged duty to implement and maintain adequate security measures to safeguard employees’ PII. The court also rejected the theory that the plaintiffs’ PII constitutes property for lack of authority that the PII has any compensable value in the economy at large.Nevertheless, the court recognized that California courts have not considered, in data breach cases, whether the costs of prophylactic measures (credit monitoring, obtaining credit reports. identity-theft protection, etc.) are sufficient to support a negligence claim. Adapting case law on toxic exposure, the court identified several allegations that showed both “reasonableness and necessity,” including the sensitive nature of the PII, the posting of the PII to the Internet, the actual access of information from file-sharing sites, threats made to employees, the explicit threat of future data exposure by hackers, and notification to some plaintiffs of attempted identity theft. The court also held that a “special relationship” between Sony and its employees existed, which invalidated Sony’s economic-loss doctrine defense.However, the Court found “implausible any argument that Sony’s alleged delay [of approximately 3 weeks] in notification proximately caused any of the economic injury” alleged. The portion of the negligence claim, which was based on the alleged duty to timely notify, was dismissed.
The California Confidentiality of Medical Information Act (“CIMA”) claim survived. CIMA directs employers who receive medical information to establish procedures to safeguard the confidentiality and protection of that information from unauthorized use and disclosure. Noting that CIMA authorizes a private right of action for covered medical information that is “negligently released,” the court also recognized that California law does not require affirmative action to constitute a negligent release, and allowed the claim to proceed.
The Unfair Competition Law (“UCL”) claim also advanced. The court noted that predicate acts for the UCL claim remained because the plaintiffs’ allegations sufficiently alleged injury-in-fact, economic loss, and because portions of the plaintiffs’ negligence and CIMA claims survived dismissal. In light of the ruling on the UCL claim, the court derivatively refused to dismiss the claims for declaratory and injunction relief.
- Claims that were dismissed — But, the plaintiffs did not have a complete victory. Their implied contract claim was dismissed (with leave to amend) because there were “no facts indicating that Sony’s acts were intended to frustrate the agreed common purpose of the [employment] agreement.” The court also found significant that the putative class included members who “were no longer employed by Sony at the time the data breach occurred.”The court likewise dismissed the California Customer Records Act (“CRA”) claim, but without leave to amend. This California statute regulates businesses’ “treatment and notification procedures relating to their customers’ personal information.” (emphasis added) Because the complaint’s allegations made “clear that Plaintiffs are not customers within the meaning of the statute,” the CRA allegations failed to state a claim. Additionally, the court dismissed the Virginia and Colorado breach notification claims without leave to amend, primarily for lack of allegations of direct economic damages resulting from Sony’s purported failure to notify in a timely manner.
The Sony case and others make clear that data breach litigation is on the rise and surviving many of the traditional Rule 12 arguments with increasing consistency.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code