Sony PlayStation Data Breach Lawsuit Whittled Down but Moves Forward
We blogged previously about the claims resulting from the breach of the PlayStation networks. The claims did not receive a warm reception. (“Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Networks”.) Plaintiffs were given a chance to amend their claims, and the court issues a ruling getting rid of a majority of claims. Nevertheless, the fact that some claims remain is problematic.
The latest order is a 97 page behemoth that contains a comprehensive review of the various state law claims and doctrines relevant to resolving a major data breach incident. It’s almost a mini-treatise of applicable law in the area. Highlights from the court’s order:
– the court says, citing to Krottner and Clapper, that plaintiffs satisfy Article III standing requirements.
– the court dismisses 45 of the claims that are premised on theories ranging from negligence to breach of warranty and unjust enrichment. With respect to these claims, numerous limitations in traditional negligence and contract law, such as the economic loss doctrine, the special relationship requirement, and the efficacy of disclaimers, all worked to defendants’ benefit.
– even with respect to some of the negligence claims that are dismissed, the court says that defendants had a legal duty to provide adequate security.
– consumer protection claims for restitution based on misleading statements about data security (that allegedly induced the purchase of PS2 units) go forward.
– claims for injunctive relief under consumer protection laws of several states go forward.
– claims for damages under California’s Database Breach Act are dismissed, but claims for injunctive relief go forward.
Absent a big change to the ground rules, Article III standing may not be the most effective way to screen out data breach lawsuits. Courts often pick between Article III and the merits, but recent cases tend to indicate the limitations of Article III in screening out these claims.
Data breach notification statutes ostensibly serve a variety of purposes, but they will probably not be useful for plaintiffs who bring damage claims. Granted, in this case, plaintiffs received notification within ten or eleven days of the breach, but the court took a fairly restrictive view of what type of damage would satisfy causation requirements from any delayed notification.
Eventually, what ends up giving plaintiffs the best hook are Sony’s marketing representations:
reasonable steps to secure [Plaintiffs’] personal information . . . use industry-standard encryption to prevent unauthorized access to sensitive financial information.
Given that there are no statutory damages available (restitution in the form of a refund may serve as a nice substitute), and given that the bulk of the surviving claims are types of mis-representation-based claims that may not hold up to the light of discovery, it will be interesting to see whether the ruling prompts a settlement or whether Sony will take the route Apple took and litigate the claims.
Case citation: In re Sony Gaming Networks and Customer Data Security Breach Litigation, MDL No. 11md2258 AJB (MDD) (S.D. Cal. Jan 21, 2014) [pdf]
Class Action Against Path Over Cellphone Address Book Access Keeps Going
Judge Koh Whittles Down iPhone App Privacy Lawsuit
Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power
Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net
Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark
Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails — Bose v. Interclick
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]
Pingback: Data Breach Lawsuit Followup | Geek Law()
Pingback: Apple May Be Liable For Privacy Violations by Third Party Developed Apps | Technology & Marketing Law Blog()