The massive computer breach at Sony Pictures Entertainment could test laws that require companies to protect their employees’ personal and medical information.
Lawyers representing former Sony Pictures employees have separately filed in Los Angeles two lawsuits that seek class-action status, alleging Sony Pictures Entertainment was negligent in the months leading up to the devastating hack. One of the complaints — a 45-page federal lawsuit, which seeks to represent former and current Sony employees — contends that Sony ignored warnings that its computer network was prone to attack.
Sony “failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years” and “subsequently failed to timely protect confidential information of its current and former employees from law-breaking hackers,” according to the federal complaint filed late Monday.
The other suit, which was filed in Los Angeles Superior Court on Tuesday, also alleges negligence and invasion of privacy of former Sony employees.
Hackers began releasing sensitive data after the studio’s security breach became public late last month. The group, calling itself Guardians of Peace, has divulged data including thousands of emails from studio chiefs, salaries of top executives and Social Security numbers of 47,000 current and former employees. Medical information of some employees and their family members was contained in the mountains of data the hackers posted on file-sharing sites.
California has strict laws that require businesses to safeguard the health records of their workers.
“There are thousands of people who have been affected by this,” Cari Laufenberg, a partner at the Seattle law firm of Keller Rohrback, said of the federal suit.
Sony declined to comment.
The breach is expected to cost Sony Pictures tens of millions of dollars as the company rebuilds its computer network, bolsters security and deals with piracy and the legal fallout.
John Nockleby, a professor at Loyola Law School in Los Angeles, said the strength of the lawsuits was unclear. The case could hinge on whether employees become victims of identity theft, he said. It is too soon to determine whether that has happened.
“It is difficult to say because the law is undeveloped in terms of damages in this area,” he said.
The plaintiffs will have a stronger case if they demonstrate Sony was aware that its computer network had been breached — or that its security was too lax.
The federal complaint contends that hackers might have swiped the “encryption keys” to Sony’s system and “that’s the keys to the kingdom,” Nockleby said. “If that’s true, then it’s a big deal, but the big picture here is whether Sony has liability.”
The hackers have demanded that Sony cancel the Dec. 25 release of the Seth Rogen comedy “The Interview,” which depicts a fictional assassination attempt on North Korean leader Kim Jong Un. The FBI is investigating the hack, which is suspected to have been orchestrated by North Korea.
Marshall Grossman, a partner in the firm Orrick, Herrington & Sutcliffe, reviewed the federal lawsuit and dismissed it as a publicity ploy.
“The complaint appears to be a hodgepodge of snap judgments and speculation of various third parties,” Grossman said.
“At difficult times like this, our focus should be on easing the pain of Sony and others who are the victims of terrorist attacks instead of piling on,” Grossman said. “I don’t see these former employees or their lawyers boarding a flight to North Korea any time soon to take depositions.”