On April 27, 2011, lawyers in California filed a class action complaint against Sony for failing to protect sensitive information of consumers using the PlayStation® game console and Playstation® Network. The complaint arises from events surrounding a security breach at Sony compromising users’ data. In fact, the complaint claims that the Sony breach may result in “the greatest potential for credit card fraud to ever occur in United States history.” The case is pending in the United States District Court for the Northern District of California. The complaint seeks damages, restitution, disgorgement of amounts obtained due to the alleged misconduct, injunctive relief, and related relief.
The complaint alleges claims under California’s Unfair Competition Law, California’s False Advertising Law, Violation of California’s Song-Beverly Act, California’s Consumers Legal Remedies Act, breach of express contract, breach of implied contract, violation of California’s SB 1386, and common law negligence. The plaintiff claims that Sony failed to take care to prevent the security breach, the compromise of sensitive information damaged him and the putative class, Sony’s response in shutting down the service further damaged him and the putative class, and plaintiff and the class now fear future fraud from the compromise and misuse of sensitive information. In addition, the plaintiff claims that Sony’s delay in making its breach notification under SB 1386 further damaged him and the putative class.
I find it interesting – and sobering – to see that the complaint points out that the breach was occurring around April 17 or 18. As mentioned above, and lawyers filed the twenty-two page complaint nine days later, on the 27th. Nine days from security breach to class action lawsuit. That appears like a very quick reaction, but I am told that it could have even been quicker.
The fact that Sony is engaging in a security program revamp – tightening security in various ways—tends to show that it could have done better in protecting consumer information in the first place. The failure of a major company to implement security controls and a later breach seem to lead directly to a class action case. The lesson learned here is that it is better to implement the security remediation before the breach, rather than paying remediation costs – and incident response costs and fees and costs to defend the inevitable expensive class action suit—after a breach.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP