The Washington PostDemocracy Dies in Darkness

Lawsuits against Sony Pictures could test employer responsibility for data breaches

Cars enter Sony Pictures Entertainment headquarters in Culver City, Calif (AP Photo/Nick Ut)

The massive hack of Sony Pictures Entertainment is raising a potentially costly question for companies across the country:
How much responsibility do they have for protecting the most sensitive information about their employees?

Former employees have filed four lawsuits this week accusing Sony of not doing enough to protect their private data, including Social Security numbers, salaries, performance reviews and personal medical information. The latest suit, filed late Thursday on behalf of Michael Levine, a former technical director at Sony Pictures Imageworks and Felix Lionel, a former Sony Pictures director of technology, says the company's negligence led to the release of personal information about 47,000 current and former employees.

"For decades, [Sony] failed, and continues to fail, to take the reasonably necessary actions to provide a sufficient level of IT security to reasonably secure its employees' [personal information]," according to the class action lawsuit filed in U.S. District Court in California by San Francisco-based Lieff Cabraser Heimann & Bernstein LLP.

The Sony attack, already one of the most damaging corporate cyber attacks in history, is sending chills through corporate executive suites. Companies accustomed to protecting customers' credit card data and their trade secrets, now face a more daunting task: Securing sensitive personnel data that until the attack on Sony was not considered valuable to hackers.

"This event is much more than a data breach in the traditional sense -- it represents a sea change in the world of cyber attacks," said Lisa Sotto, a cybersecurity lawyer at New York-based Hunton & Williams. "Companies need to be acutely focused on preventing these types of attacks because they are aimed at toppling a company."

Sony declined to comment on the lawsuits, and some say it may be too early to blame the company.

"The real question is, was this Sony's fault in the sense that it had lax security? I think it's too early to tell," said David Vladeck, a former Federal Trade Commission official and a Georgetown law professor.

"There's a great deal of forensic work that goes into examining a data breach of this magnitude."

Sony, one of Hollywood's largest studios, has been struggling to contain the fallout from the hack since Thanksgiving. It cancelled the release of "The Interview," a comedy about an assassination plot against North Korean leader Kim Jong Un, on Wednesday after hackers claiming responsibility for the breach warned that they would attack movie theaters that showed the film. On Friday, federal officials accused North Korea of carrying out the attack.

The lawsuits launched by employees threaten to draw out the company's effort to clean up the damage for years.

The lawsuit filed in federal court Thursday said Sony had plenty of warning that it was vulnerable to a cyber attack, including a massive hack of its PlayStation Network in 2011. Sony intentionally did not provide "adequate data security" in order to save money, the suit said. It was also lax about internal security, keeping passwords to its computer networks and social media accounts in files labeled "password."

The suit also points to a 2007 interview that Jason Spaltro, the company's then executive director of information security, gave to CIO magazine in which Spaltro weighed the cost of providing more cybersecurity against the potential cost of a breach. Sony processed about 5 million credit card transactions a month, mostly associated with its PlayStation consoles, he said.

"It's a valid business decision to accept the risk. I will not invest $10 million to avoid a possible $1 million loss," Spaltro said.

Unlike major breaches of retailers earlier this year, the data exposed in the Sony hack has been much broader, and potentially more disruptive. The attacks of major retailers such as Target and Home Depot have largely involved the theft of credit card data. The retailers quickly offered affected customers free credit monitoring service and the customers' banks replaced their payment cards, a well-worn playbook for limiting the cost of a breach, experts said.

But it's much more difficult to put a price tag on the exposure of personnel information. "If a Social Security number is stolen, you can identifyy theft as a real potential risk of harm," said Sotto. "But for something like an employee evaluation, it's very difficult to measure potential damages there in concrete terms."

Particularly troublesome for Sony is the hackers' distribution of employees' private health care information, experts said. Among the information disclosed as part of the attack, according to the lawsuit filed Thursday, were "the medical records of employees with particularly costly treatment requirements, including premature births, cancer, kidney failure, and liver cirrhosis. Other disclosed information includes detailed discussions with insurers over denied claims for surgeries and speech therapy sessions."

California, where Sony Pictures is based, has some of the country's strictest laws protecting the privacy of medical records, experts say. The government penalties for unlawful disclosure of the data could reach millions of dollars, but if employees show they were harmed they can sue for much more, said Peter Rukin, a privacy attorney with San Francisco-based Rukin Hyland Doria Tyndell.

"Civil code requires any medical information to be kept separate from other employee information. It needs to be maintained behind a security system," Rukin said. It's unclear what kind of system Sony used, but Ruskin said it "should have been under lock and key."

A separate suit filed Tuesday in a Los Angeles district court by two production managers says Sony knew the risks of releasing the "The Interview." "Sony received multiple warnings that retribution for releasing the film was inevitable," the lawsuit says, adding that the company should have known that moving forward on the film "created an unreasonable risk" for employees.

E-mails show that Sony executives debated the details of a gory Kim Jong Un death scene at the end of the film, according to various media reports about documents released as part of the hack. Sony's Japanese chief executive, Kazuo Hirai, even weighed in, insisting over the summer that a scene in which Kim's head explodes when hit by a tank shell be toned down to remove images of flaming hair and chunks of skull, Bloomberg reported.

Still, mounting a case will be difficult. The suits filed so far seek class action status and that could be tricky since each employee has faced different types of damage, experts say. Also, since U.S. officials now believe North Korea is responsible for the hack - rather than a rogue group of cybercriminals- holding Sony responsible could be more difficult, experts say.

"I think the employees have a right to be upset, it's just hard to know if there's real fault," said Art Gilliland, senior vice president and general manager at Hewlett Packard Security. "Determined adversaries are going to find a way."

Cecilia Kang contributed to this report