Sony PlayStation Data Breach Lawsuit Whittled Down but Moves Forward
We blogged previously about the claims resulting from the breach of the PlayStation networks. The claims did not receive a warm reception. (“Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Networks”.) Plaintiffs were given a chance to amend their claims, and the court issues a ruling getting rid of a majority of claims. Nevertheless, the fact that some claims remain is problematic.
The latest order is a 97 page behemoth that contains a comprehensive review of the various state law claims and doctrines relevant to resolving a major data breach incident. It’s almost a mini-treatise of applicable law in the area. Highlights from the court’s order:
– the court says, citing to Krottner and Clapper, that plaintiffs satisfy Article III standing requirements.
– the court dismisses 45 of the claims that are premised on theories ranging from negligence to breach of warranty and unjust enrichment. With respect to these claims, numerous limitations in traditional negligence and contract law, such as the economic loss doctrine, the special relationship requirement, and the efficacy of disclaimers, all worked to defendants’ benefit.
– even with respect to some of the negligence claims that are dismissed, the court says that defendants had a legal duty to provide adequate security.
– consumer protection claims for restitution based on misleading statements about data security (that allegedly induced the purchase of PS2 units) go forward.
– claims for injunctive relief under consumer protection laws of several states go forward.
– claims for damages under California’s Database Breach Act are dismissed, but claims for injunctive relief go forward.
Absent a big change to the ground rules, Article III standing may not be the most effective way to screen out data breach lawsuits. Courts often pick between Article III and the merits, but recent cases tend to indicate the limitations of Article III in screening out these claims.
Data breach notification statutes ostensibly serve a variety of purposes, but they will probably not be useful for plaintiffs who bring damage claims. Granted, in this case, plaintiffs received notification within ten or eleven days of the breach, but the court took a fairly restrictive view of what type of damage would satisfy causation requirements from any delayed notification.
Eventually, what ends up giving plaintiffs the best hook are Sony’s marketing representations:
reasonable steps to secure [Plaintiffs'] personal information . . . use industry-standard encryption to prevent unauthorized access to sensitive financial information.
Given that there are no statutory damages available (restitution in the form of a refund may serve as a nice substitute), and given that the bulk of the surviving claims are types of mis-representation-based claims that may not hold up to the light of discovery, it will be interesting to see whether the ruling prompts a settlement or whether Sony will take the route Apple took and litigate the claims.
Case citation: In re Sony Gaming Networks and Customer Data Security Breach Litigation, MDL No. 11md2258 AJB (MDD) (S.D. Cal. Jan 21, 2014) [pdf]