(Bloomberg) -- The massive hack of Sony Pictures Entertainment Inc.’s computers has spurred what may be the first lawsuit by former employees accusing the movie company of failing to protect the personal information of thousands of workers.
Two ex-employees called the breach “an epic nightmare, much better suited to a cinematic thriller than to real life.”
Sony knew it had inadequate measures in place to protect its data and suffered breaches twice before this year’s attack, in which hackers got into the company’s computer systems and released employee salaries, worker health data, racially tinged e-mail banter and other sensitive information, according to the complaint filed yesterday in Los Angeles federal court.
“Sony made a ‘business decision to accept the risk’ of losses associated with being hacked,” according to the ex-workers, who seek to sue on behalf of about 15,000 current and former employees whose data was compromised.
Representatives of Culver City, California-based Sony Pictures didn’t immediately respond to phone and e-mail messages seeking comment on the lawsuit.
Sony Warned
Sony Corp. was warned about a year ago that hackers had infiltrated its network and were stealing gigabytes of data several times a week, underscoring a pattern of lapses predating the recent attack.
The hackers, who haven’t been identified, sifted in late 2013 through data from the company’s network, encrypted the information to cover their tracks and mined it on a regular schedule, said a person familiar with Sony’s investigation of the breach, who asked not to be named because the findings are confidential.
The two former employees, one a Virginia resident who worked at Sony from to 2004 to 2007 and the other a California woman who worked at Sony from 2000 to 2002, say they have had to buy identity-theft protection and have spent as much as 50 hours safeguarding themselves against any possible harm from the stolen personal information.
They seek unspecified damages for negligence and violations of California and Virginia state laws.
Tough Proof
In general, it’s hard for plaintiffs to prove harm from stolen personal data when they haven’t become actual victims of identity theft, said Jonathan Handel, who teaches entertainment law at the University of Southern California. If actual identity theft has occurred, the claims may not be suitable for a class action like this one, he said.
“It’s a different type of financial harm if I can’t close on buying a house because of identity theft than if I can’t buy a bunch of Tiffany jewelry,” Handel said in a phone interview.
Sony Pictures said in a Dec. 8 letter to its employees, filed with the California Attorney General’s Office, that the hackers may have stolen Social Security, driver’s license and passport numbers, as well as credit-card, compensation and medical information, among other private data.
The studio said in the letter that it’s offering all employees 12 months of identity protection services at no charge through a third-party provider.
The case is Corona v. Sony Pictures Entertainment Inc., 14-09600, U.S. District Court, Central District of California (Los Angeles).
--With assistance from Jordan Robertson and Michael Riley in Washington.
Copyright 2018 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
