In the wake of the massive and well-publicized cyber attack on Sony Pictures Entertainment in November 2014, current and former Sony employees have filed multiple class action lawsuits against the company, claiming that lax security allowed their personal information to be accessed by hackers. In mid-December, Sony announced that it would halt the release of “The Interview,” a satirical movie about a plot to assassinate North Korean leader Kim Jong Un, in response to a series of threats to the company, its employees and their families, and theaters that showed the film. The decision ultimately came after a group of hackers called “Guardians of Peace” accessed massive amounts of data from Sony on November 24, 2014. According to one lawsuit, the hackers then proceeded with a staggered series of information leaks and threats:
The hackers released five Sony films, four of which had not been released, on November 27.
A few days later, hackers posted the salary information for 6,000 current and former employees, including the top 17 Sony executives.
On December 3, passport and visa information for cast and crew members, film budgets and confidential contracts were shared online.
Finally, on December 5, Sony employees received an email soliciting online signatures to show support for the Guardians of Peace. If the employee refused to sign, the message read, “not only you but your family will be in danger.” Sony cited this email as the reason for ultimately pulling the film.
In a recent press conference, President Obama stated that Sony “made a mistake” by succumbing to the hackers’ threats and pulling the film. “We cannot have a society in which some dictator someplace can start imposing censorship herein the United States,” he said. “Because if somebody is able to intimate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like or new reports they don’t like.”
Sony employees have responded as well. In a theatrical fashion, one complaint reads, “An epic nightmare, much better suited to a cinematic thriller than to real life, is unfolding in slow motion for Sony’s current and former employees: Their most sensitive data including over 47,000 Social Security numbers, employment files including salaries, medical information and anything else that their employer Sony touched, has been leaked to the public, and may be in the hands of criminals.”
The lawsuits criticize Sony for its lax cyber security concerning its employees’ personal information and data and its retention policies concerning that data. The lawsuits alleged that Sony maintained employee data far longer than necessary, resulting in to compromise of data of former employees, possibly dating back as far as 1955. Some of the named plaintiffs have not been employee by the company for many years, yet their personal information, including Social Security numbers, personal emails, salary information, detailed medical records, communications concerning health insurance disputes, and other private information was accessed by hackers. The complaints estimate that the hackers managed to steal the private data of as many as 50,000 current and former employees.
The complaints raise legitimate and pressing questions for all employers, not just multi-billion dollar companies, about the protections in place for their own employees’ private information. Employers large and small should ensure that the latest technology is diligently utilized to prevent access by hackers and to avoid other cyber security breaches. Companies should also reconsider their retention policies concerning former employees’ data, so as not to subject them to unnecessary security risks. Sony faces a series of potential HIPAA violations and related claims related to the release of the employees’ medical information, which emphasizes the need for all employers to put protections in place for their employees’ insurance and health information. Even if there is no risk of drawing global attention or eliciting commentary from the President, the effects of a security breach of employee data could be devastating to any company and its employees.