In the wake of the major data breach at Sony Pictures Entertainment last year in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees, nine former employees affected by the data breach sued Sony alleging that it was negligent in failing to protect their personal information. I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015.
Recently Federal District Court Judge Gary Klausner dismissed a motion by Sony to dismiss the case. In his decision, Judge Klausner ruled that Sony created a “special relationship” with its employees by requiring them to provide personal information in order to be eligible for salaries and benefits and that this relationship carried with it a duty to protect that information, particularly in the light of Sony’s failure to institute proper security following the 2011 breach of its PlayStation video game network.
The hacking of Sony should be a wake-up call to all companies. Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions. The list of Sony’s failings are many. Data banks were not properly segregated. The company was particularly susceptible to phishing attacks. It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information. These are just a few of Sony’s failings.
If Sony is ultimately held responsible to its employees and former employees by the court in this case, you can well expect other employees and customers of companies affected by similar data breaches will follow suit and seek redress in the courts.
There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer. Additionally, we should try to limit as much as possible the personal information that we provide to such companies. For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it.