The U.S. District Court for the Central District of California recently granted, only in part, a motion to dismiss a data breach class action against Sony Pictures Entertainment, Inc. (“Sony”) in Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK) (C.D. Cal. June 15, 2015). The case therefore will proceed with some of the claims intact.

The litigation arose from a security breach at Sony where the sensitive and personal information of at least 15,000 former and current Sony employees was stolen. The putative class alleged:  (1) negligence; (2) breach of implied contract; (3) violation of the California Customer Records Act; (4) violation of the California Confidentiality of Medical Information Act; (5) violation of the Unfair Competition Law; (6) declaratory judgment; (7) violation of Virginia Code §18.2‑186.6; and (8) violation of Colorado Revised Statutes § 6-1-716. Sony moved to dismiss for lack of Article III standing under Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6).

Rule 12(b)(1) standing challenge rejected.  Of all the federal circuits, data breach litigants currently are more likely to weather a standing attack in the Ninth Circuit. TheSony case was no exception. It cited to Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), to support its standing analysis. This is notable because district courts in the Ninth Circuit often do not treat Krottner as being overruled by the later-decided standing opinion of the Supreme Court of the United States in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). E.g., In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) (finding sufficient standing allegations even when plaintiffs did not establish that hackers used their information).

Under Krottner, the Sony court quickly found that the plaintiffs had properly alleged sufficient facts to establish Article III standing and disagreed with Sony that allegations of either “a current injury or a threatened injury that is certainly impending” were lacking. The court held that the personally identifiable information (“PII”) was stolen and posted on file-sharing websites for identity thieves to download, and that the PII was used to send threatening e-mails to employees and their families. The court stated, “These allegations alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.”

Rule 12(b)(6) challenges were both granted and denied.

  • Claims that survived—The court found that allegations of “future harm or an increased risk in harm that has not yet occurred” do not demonstrate a cognizable injury to support a negligence claim arising from an alleged duty to implement and maintain adequate security measures to safeguard employees’ PII. The court also rejected the theory that the plaintiffs’ PII constitutes property for lack of authority that the PII has any compensable value in the economy at large.

Nevertheless, the court recognized that California courts have not considered, in data breach cases, whether the costs of prophylactic measures (credit monitoring, obtaining credit reports. identity-theft protection, etc.) are sufficient to support a negligence claim. Adapting case law on toxic exposure, the court identified several allegations that showed both “reasonableness and necessity,” including the sensitive nature of the PII, the posting of the PII to the Internet, the actual access of information from file-sharing sites, threats made to employees, the explicit threat of future data exposure by hackers, and notification to some plaintiffs of attempted identity theft. The court also held that a “special relationship” between Sony and its employees existed, which invalidated Sony’s economic-loss doctrine defense.

However, the Court found “implausible any argument that Sony’s alleged delay [of approximately 3 weeks] in notification proximately caused any of the economic injury” alleged. The portion of the negligence claim, which was based on the alleged duty to timely notify, was dismissed.

The California Confidentiality of Medical Information Act (“CIMA”) claim survived. CIMA directs employers who receive medical information to establish procedures to safeguard the confidentiality and protection of that information from unauthorized use and disclosure. Noting that CIMA authorizes a private right of action for covered medical information that is “negligently released,” the court also recognized that California law does not require affirmative action to constitute a negligent release, and allowed the claim to proceed.

The Unfair Competition Law (“UCL”) claim also advanced. The court noted that predicate acts for the UCL claim remained because the plaintiffs’ allegations sufficiently alleged injury-in-fact, economic loss, and because portions of the plaintiffs’ negligence and CIMA claims survived dismissal. In light of the ruling on the UCL claim, the court derivatively refused to dismiss the claims for declaratory and injunction relief.

  • Claims that were dismissed—But, the plaintiffs did not have a complete victory. Their implied contract claim was dismissed (with leave to amend) because there were “no facts indicating that Sony’s acts were intended to frustrate the agreed common purpose of the [employment] agreement.” The court also found significant that the putative class included members who “were no longer employed by Sony at the time the data breach occurred.”

The court likewise dismissed the California Customer Records Act (“CRA”) claim, but without leave to amend. This California statute regulates businesses’ “treatment and notification procedures relating to their customers’ personal information.” (emphasis added) Because the complaint’s allegations made “clear that Plaintiffs are not customers within the meaning of the statute,” the CRA allegations failed to state a claim. Additionally, the court dismissed the Virginia and Colorado breach notification claims without leave to amend, primarily for lack of allegations of direct economic damages resulting from Sony’s purported failure to notify in a timely manner.

The Sony case and others make clear that data breach litigation is on the rise and surviving many of the traditional Rule 12 arguments with increasing consistency.