A third class action lawsuit was filed against Sony on Wednesday – two others were filed earlier this week – which claims the company didn’t protect employee information from being exposed in the hacking breach.
On a larger scale, these lawsuits bring up an interesting situation for companies that face a breach. As Wired reported: “It’s not unusual for companies that suffer breaches, like Sony and Target, to find themselves besieged by lawsuits, but ones filed by the individuals whose personal data is stolen rarely succeed. . . . and courts have thrown out the suits for lack of standing.”
But the U.S. District Court for the Northern District of California ruled against Adobe in a similar case, which may give Sony plaintiffs hope that they have a leg on which to stand.
The Court found that the threat of harm to personal data is “immediate and very real. . . . Indeed, the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. However, to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be ‘literally certain’ in order to constitute injury-in-fact.”
In other words, this Adobe case shows a shift in the judiciary’s viewpoint. The judiciary demonstrates a willingness to accept potential future harm as a sufficient reason to bring suit.
Fortunately, the current litigation trends are probably good news for employers because courts do not traditionally accept this reasoning. But, regardless of the success of these lawsuits, the cost to defend them can be significant; and, reputational harm can occur throughout the process.
A company that faces a security breach must not only deal with the immediate ramifications of the breach, but also may face potential legal action for the harm — or potential harm — its clients or employees may face.
The plaintiff’s bar is becoming savvier in crafting these cases. And courts are becoming more accepting of what constitutes harm. This is yet another reason why companies must take these breaches seriously and scrutinize their data and privacy systems before a breach happens – not after.