The US District Court for the Central District of California has accepted, in part, the motion to dismiss a data breach class action against Sony Pictures.
A security breach at Sony led to 15,000 former and current Sony employees' information being stolen. The case alleged various infringements of Federal law including the violation of the California Customer Records Act, the violation of the Unfair Competition Law and negligence.
The court sided with the claimants by concluding that personally identifiable information was stolen and posted on file sharing websites and that this information was used to send threatening emails to employees. Consequently the Rule 12(b)(1) challenge by Sony was rejected.
The court denied the claim by the employees that future harm would follow from this data breach.
The court identified a "special relationship" between Sony and its employees which invalidated Sony's economic-loss doctrine defence. The court rejected the claim that Sony's delay in informing the employees caused economic injury to the claimants.
The California Confidentiality of Medical Information Act (CIMA) claim was upheld. CIMA safeguards employees medical information by establishing procedures to safeguard the confidentiality and protection of relevant data. The CIMA allows a private right of action for medical information which is negligently released, which enabled the claim to proceed through the courts.
The Unfair Competition Law (UCL) claim was also upheld. Employees presented sufficient evidence to suggest injury-in-fact and economic loss.
The implied contract claim was rejected as there was insufficient data to show that Sony had intended 'to frustrate the agreed common purpose of the [employment] agreement.'
The court also dismissed the California Customer Records Act (CRA) claim as the allegations were made by employees rather than customers. The court also dismissed the Virginia ad Colorado breach notification claims due to insufficient evidence illustrating that the delay in Sony notifying its employees in a timely manner.
This case highlights the continuing increase of data breach litigation.
Please click here to read the Minutes of the motion to dismiss.