Sony Data Breach Lawsuit Settlement Agreed

The huge cyberattack to hit Sony last year resulted in the confidential information of employees being obtained by hackers, potentially placing those individuals at risk of suffering damage or loss.

In the wake of the breach, employees were rapidly signed up for a class-action lawsuit against Sony. Approximately 50,000 current and former employees of the entertainment giant added their names to the lawsuit, which sought damages for the potential exposure of data. In many cases, employees of Sony had their confidential data posted online for all to see.

The data included detailed information on medical diagnoses of employees and their families, and included information such as cancer, kidney failure and alcoholic liver disease diagnoses, in addition to birth dates, gender, health condition and medical costs incurred. Approximately 30,000 individuals’ clinical information was exposed in the data breach.

The 2014 cyberattack may have been the largest data breach to be suffered by the company, but it was not the first. In 2011, Sony suffered a large-scale data breach that exposed the confidential data of millions of PlayStation users, while internal audits revealed a number of security vulnerabilities existed with electronic security procedures.

The plaintiffs in the suit claim that Sony should have taken action after previous data breaches to improve protections, but the company failed to do so. Lionel Felix, a former director of technology at Sony has also spoken about the lack of security controls, while a number of employees have criticized Sony for putting more effort into protecting its corporate image that protecting the privacy of its employees.

The plaintiffs’ claimed that by “failing to design and implement appropriate firewalls and computer systems, failing to properly and adequately encrypt data, losing control of and failing to timely re-gain control over Sony Network’s cryptographic keys, and improperly storing and retaining Plaintiffs’ and the other Class members’ [PHI] on its inadequately protected Network,” the company breached its duty to protect employees.

Since Sony is not a healthcare provider, insurer or healthcare clearinghouse, it is not covered by the Health Insurance Portability and Accountability Act (HIPAA), so is not required by federal law to implement the same level of protection to keep data secure as is required by HIPAA-covered entities. However, since the company is based in California, it is subject to state medical record protection laws.

According to a recent article in the San Diego Tribune, Sony has agreed to settle the case with the plaintiffs. The filing does not provide any details about compensation or damages, nor how the affected individuals would be covered; but Daniel C. Girard, attorney for the plaintiffs, recently issued a statement saying “We believe the proposed settlement is a favorable resolution of the claims asserted by the plaintiffs.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.