Sony PlayStation Data Breach Lawsuit Whittled Down but Moves Forward

January 29, 2014 · by Venkat Balasubramani · in E-Commerce, Privacy/Security

Photo Credit: Identity theft concept with pencil eraser // ShutterStock

We blogged previously about the claims resulting from the breach of the PlayStation networks. The claims did not receive a warm reception. (“Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Networks”.) Plaintiffs were given a chance to amend their claims, and the court issues a ruling getting rid of a majority of claims. Nevertheless, the fact that some claims remain is problematic.

The latest order is a 97 page behemoth that contains a comprehensive review of the various state law claims and doctrines relevant to resolving a major data breach incident. It’s almost a mini-treatise of applicable law in the area. Highlights from the court’s order:

– the court says, citing to Krottner and Clapper, that plaintiffs satisfy Article III standing requirements.

– the court dismisses 45 of the claims that are premised on theories ranging from negligence to breach of warranty and unjust enrichment. With respect to these claims, numerous limitations in traditional negligence and contract law, such as the economic loss doctrine, the special relationship requirement, and the efficacy of disclaimers, all worked to defendants’ benefit.

– even with respect to some of the negligence claims that are dismissed, the court says that defendants had a legal duty to provide adequate security.

– consumer protection claims for restitution based on misleading statements about data security (that allegedly induced the purchase of PS2 units) go forward.

– claims for injunctive relief under consumer protection laws of several states go forward.

– claims for damages under California’s Database Breach Act are dismissed, but claims for injunctive relief go forward.
___

Absent a big change to the ground rules, Article III standing may not be the most effective way to screen out data breach lawsuits. Courts often pick between Article III and the merits, but recent cases tend to indicate the limitations of Article III in screening out these claims.

Data breach notification statutes ostensibly serve a variety of purposes, but they will probably not be useful for plaintiffs who bring damage claims. Granted, in this case, plaintiffs received notification within ten or eleven days of the breach, but the court took a fairly restrictive view of what type of damage would satisfy causation requirements from any delayed notification.

There were several different terms of service and privacy policy provisions that consumers encountered in the course of buying products or services from Sony. The interplay between these various policies adds some factual complexity to the case. Interestingly, many of Sony’s contractual disclaimers were effective, but only after the judge scrutinized several aspects (e.g., placement, prominence) carefully.

Eventually, what ends up giving plaintiffs the best hook are Sony’s marketing representations:

reasonable steps to secure [Plaintiffs’] personal information . . . use industry-standard encryption to prevent unauthorized access to sensitive financial information.

We’ve seen this happen time and time again (e.g., Twitter’s flowery language that the FTC latched on to), and perhaps it’s an unavoidable battle between the marketing department and the legal department, but it’s worth noting that a big part of the claims that survive here is based on flowery marketing language contained in Sony’s user agreement and privacy policy. Even though there were disclaimers and limitations in the policy and notwithstanding the well-accepted notion that no one reads these policies, the court still allows claims to survive based on this language.

Given that there are no statutory damages available (restitution in the form of a refund may serve as a nice substitute), and given that the bulk of the surviving claims are types of mis-representation-based claims that may not hold up to the light of discovery, it will be interesting to see whether the ruling prompts a settlement or whether Sony will take the route Apple took and litigate the claims.

Case citation: In re Sony Gaming Networks and Customer Data Security Breach Litigation, MDL No. 11md2258 AJB (MDD) (S.D. Cal. Jan 21, 2014) [pdf]

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal