Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Networks

October 15, 2012 · by Venkat Balasubramani · in E-Commerce, Licensing/Contracts, Privacy/Security

In re Sony Gaming Networks and Customer Data Security Breach Litigation, 2012 WL 4849054 (S.D. Cal.; Oct. 11, 2012)

This is a class action arising out of a hack of Sony’s online gaming network. The hacks commenced on April 16 or 17, 2011. When Sony discovered that its networks had been compromised, it took some networks completely offline (for up to a month). Approximately 10 days later, Sony acknowledged that customer information had been compromised and said that it was “reviewing options.” Ultimately, Sony offered its consumers:

free identity theft protection services, certain free downloads and online services, and ‘[said that it would] consider’ helping customers who [had] been issued new credit cards.

data breach.jpg Plaintiffs’ lawyers readied their engines and filed multiple class actions that were consolidated in the Southern District of California. (The page listing counsel is worth a look–there were 100s of lawyers involved!) Sony brought a motion to dismiss. The court grants the motion, with leave to amend.

Standing: Citing Krottner v. Starbucks, a case where employee data was stolen from a laptop, the court says that plaintiffs satisfy standing. The court does find that plaintiffs failed to allege any basis for standing as to two Sony entities, but Sony doesn’t have any luck overall kicking the lawsuit on the basis of standing.

Negligence: As to plaintiffs’ negligence claim, the court says that, absent accompanying physical harm, a plaintiff cannot recover for “purely economic loss” in negligence (under California law). In order to get around the economic loss rule, plaintiffs have to plead either the existence of a “special relationship” or allege that they suffered physical or property damage. The court finds that plaintiffs failed to adequately allege facts regarding the exception, but gives them a chance to re-plead. The court also hammers plaintiffs on whether they have alleged cognizable injury for negligence purposes:

without specific factual statements that plaintiffs’ personal information has been misused, in the form of an open bank account, or an un-reimbursed charges, the mere ‘danger of future harm, unaccompanied by present damage, will not support a negligence action.’

Ouch. For good measure, the court also says plaintiffs’ allegations that their consoles have lost value as a result of the data breach are “illusory.”

Consumer protection act claims: The court dismisses the consumer protection act claims brought by the out-of-state plaintiffs. For in-state plaintiffs, to have standing, plaintiffs have to show that they lost “money or other property.” The court rejects each of the plaintiffs’ arguments that they lost money or other property as a result of the breach: (1) heightened risk of injury and money spent allegedly remedying this is not sufficient under unfair competition statutes (citing the iPhone App Litigation and Ruiz v. Gap); (2) interruption of service and damage to the value of their consoles is similarly too speculative; and finally (3) diminution in the value of their consoles isn’t a credible allegation (and one that plaintiffs disavowed at oral argument).

Even if plaintiffs had standing, they had to point to statements by Sony that are “likely to deceive” a reasonable consumer, and show that consumers actually relied on such statements. Even if they get past this hurdle, they fail to point to what type of injunctive relief they would be entitled to; they don’t have restitution available as a remedy because plaintiffs did not pay Sony money for something that they didn’t obtain the benefit of.

Separately, the court says that plaintiffs do not have a cause of action available under the Consumer Legal Remedies Act because the transaction (access to the PSN) did not result in a sale or lease and even if it did, access to PSN is not a “good or service” for purposes of the CLRA (citing Ferrington v McAffee).

CA Data breach statute: Plaintiffs also brought claims under California’s newly enacted data breach statute [pdf]. This statute requires businesses to notify affected consumers of data breaches “in the most expedient time possible and without unreasonable delay.” The court says that only California residents can bring this cause of action. With respect to these plaintiffs, the court says that the savings clause insulates Sony’s actions. Section 1798.84(d) says that unless there’s an allegation that the defendant acted willfully, the defendant company is totally insulated if it provided the known information within 90 days of when it had knowledge that there was a breach.

Bailment: Plaintiffs finally brought a cause of action for bailment, which is where you deposit personal property with someone (and they are required to return it to you?). The court says that the intervening act of a third party malfeasor makes it hard to hold Sony liable, and in any event, it’s difficult to see how plaintiffs “deposited their personal property” with Sony.

This is another in a long line of cases rejecting claims brought by data breach plaintiffs. Although the court gives plaintiffs leave to amend their complaint, they don’t have an easy task amending to remedy the deficiencies. In particular, application of the economic loss rule will make it tough for plaintiffs to bring negligence claims. The consumer protection act claims also have built in procedural challenges in a situation such as this where plaintiffs are not complaining about a straightforward money for goods/services transaction where consumers were injured. There’s the final recurring issue that’s common to all of the data breach cases: plaintiffs have to come forward with some credible injury or out-of-pocket loss, and an apprehension that your data will be misused is generally regarded is insufficient.

It’s worth contrasting the result here with a recent opinion in a data breach case from the Eleventh Circuit (Resnick v. Avmed). (See posts from David Navetta and SC Magazine on this ruling.) In Avmed the Eleventh Circuit reversed the district court’s dismissal of claims brought by data breach plaintiffs, but noted that the named plaintiffs alleged that their information had actually been misused:

Curry’s . . . information was used to open a Bank of America account and change her address with the United States Post Office, and Moore’s . . . information was used to open an E*Trade Financial account . . . .

In contrast, in this case, the court notes that allegations of misuse of the data were missing (“without specific factual statements that plaintiffs’ [information] has been misused . . . the . . . danger of future harm, unaccompanied by present damage, will not support a negligence action”).

These cases raise a couple of questions. Are these class actions going to end up consisting of classes of individuals who have had their information misused in some way? Second, does it matter whether these expenses or losses are unreimbursed? If someone opens a bank account in an end user’s name and ultimately the bank cancels the card and all of the charges, does the hassle and expense of dealing with the situation count as compensable damages?

The court’s conclusion on the California data breach statute is significant given the dearth of rulings (if any) under this statute. [I was slightly confused by the court’s application of 1798.84(d), as this appeared to me to be a provision of California’s “Shine the Light” statute.]

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou