The bad news just keeps on rolling in for Sony. The recent leak of personal identification information for over 77 million accounts was bound to stir up a lawsuit, and in record timing, the Rothken Law Firm and Kershaw, Cutter & Ratinoff, LLP have filed a federal class-action suit on behalf of Alabama resident, Kristopher Johns, in the Northern District of California. The Complaint alleges that Sony failed “to maintain adequate computer data security of consumer personal data and financial data” in violation of California law and seeks damages for their “loss (both temporary and permanent) of use of their PlayStation consoles and the PlayStation Network and Qriocity services…and their time and effort spent attempting to protect their privacy, identities and financial information.” The suit is seeking damages in excess of 5 million dollars, which includes the costs of credit monitoring for members of the class and punitive damages.
One of the central arguments in the Complaint is that Sony knew of the breach for at least six days and did not notify its users when it should have. Sony recently explained on their official blog that the reason for the delay was because the company did not immediately realize that personal information had been compromised. While this fact will ultimately be one for a jury to decide, a bigger concern for Sony is that their Privacy Agreement for the PlayStation Network contained the following clause:
Accuracy & Security
We take reasonable measures to protect the confidentiality, security, and integrity of the personal information collected from our website visitors. Personal information is stored in secure operating environments that are not available to the public and that are only accessible to authorized employees. We also have security measures in place to protect the loss, misuse, and alteration of the information under our control…
Sony has already admitted that it failed to encrypt the personal identification information of its user accounts, which could partially substantiate the claims asserted in the Complaint:
Q&A #1 for PlayStation Network and Qriocity Services
Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
No network is completely safe from hacking and the legal standard Sony will be judged under will not be one of 100% infallibility. That being said, if Sony failed to install security measures in place that met the accepted industry standards, the company could be at risk. By not encrypting users’ data, Sony may not have met that burden. In order to prevent further information about the security of its network to become public, Sony may attempt to settle the matter early if the Northern District Court of California grants class certification. Failure to do so would only extend this public relations nightmare.
Wedbush Securities analyst, Michael Pachter, has estimated that the total loss of revenue from the PlayStation Network outage alone to be approximately $20 million and that the cost of reimbursing PlayStation Plus members would be about another $10 million. Based upon a 2010 estimate issued by The Ponemon Institute, a data-security research firm, Sony could potentially incur an additional cost of $318 per compromised record where a criminal act resulted. At over 77 million user accounts, this could result in a total loss over 24 billion dollars (!).
Of course, this is just a generalized estimate and there’s no solid evidence to date that any of the illegally obtained data has been used to commit identity theft or credit card fraud. If this case were to settle, Sony would likely agree to provide free credit monitoring for two or three years and insurance for any resulting losses as suggested by United States Senator Richard Blumenthal of Connecticut. That solution, however, would only apply to those users in the United States. Sony could still be at risk for additional losses or fines in other countries where the privacy laws are much more strict.
We expect that additional class actions will be filed over the coming weeks and will eventually be consolidated. At that point, Sony will have to decide whether it wishes to fight class certification or to offer an early settlement. Either way, the data loss will probably be an expensive lesson for the company.
Sources: Forbes; Joystiq