Two groups of former Sony employees filed putative class actions this week arising from the company’s recent data breach. Two former employees filed a putative class action in California federal court alleging Sony failed to secure the company’s computer network from hackers who were able to access employees’ confidential personal information. (The hackers were confirmed yesterday to be affiliated with the North Korean government.) Two other former employees filed a similar class action in Los Angeles Superior Court.
Both suits bring claims for negligence, violations of the California Confidentiality of Medical Information Act (“CMIA”), and violations of the California data breach notification laws. The federal class action also raises claims for violations of Virginia’s data breach notification laws on behalf of Virginia class members. In addition to actual damages allegedly suffered by the class members, the complaints seek statutory damages of $1,000 per class member under the CMIA, likely an attempt to address the standing issues plaintiffs typically face in data breach litigation. The lawsuits are yet another reminder of the liability that breached companies (which are themselves victims) can face following a data breach.