The U.S. District Court for the Central District of California ruled, in Corona v. Sony Pictures Entertainment, Inc., that former Sony employees may proceed with their negligence and other claims against the company for failing to prevent the theft of their financial, medical, and other personal information. The theft was part of a cyberattack by North Korea on Sony’s databases and the release of embarrassing emails from Sony executives and other information on the Internet. Bucking the trend in similar data breach cases, the court found that the threat of future harm resulting from the theft was sufficient to meet the “certainly impending” harm standard established by the Supreme Court in Clapper v. Amnesty International USA. The court also held that costs incurred by the plaintiffs to protect against identity theft constituted cognizable injury sufficient to state a negligence claim. And it held that the “economic loss” doctrine did not bar the suit because plaintiffs had adequately alleged a “special relationship” with Sony based in part on the foreseeability of the breach in light of Sony’s past data breaches and its alleged failure to take adequate preventative steps.