Written by Kevin McGinty
With the inevitability of death and taxes, data breaches spawn class action lawsuits. The massive Sony PlayStation Network data breach has now resulted in the filing of a class action in federal court in Massachusetts captioned Thompson v. Sony Computer Entertainment. The named plaintiff asserts her claims on behalf of a putative class consisting of all persons nationwide “who purchased a Sony PlayStation console and subscribed to the PlayStation Network or Qriocity service, and suffered loss of service and have had personal or financial data stolen or compromised from Defendants’ computer systems.” (Full disclosure: I am a potential class member).
More after the jump.
Plaintiff claims that Sony failed “to maintain adequate computer data security of consumer personal data and financial data, including, but not limited to credit card data.” The complaint alleges “on information and belief” – i.e , plaintiff suspects, but has no evidence to prove – that Sony violated the Payment Card Industry Data Security Standard (the “PCI Security Standards”) by, among other things allegedly (i) storing and retaining credit card transaction and customer data in an unencrypted and unsecure manner; (ii) failing to destroy records after conclusion of authorized use; and (ii) failing to implement security procedures and practices to protect data from unauthorized access by computer hackers. Unsurprisingly, the complaint does not point to any specific facts beyond the existence of a breach to support the claim that Sony failed to comply with the PCI Security Standards which, any event, are voluntary industry-based standards and not legal requirements for electronic transaction processing. Based on the Thompson complaint itself there is little basis to conclude that the Sony data breach, reported to be the work of computer hackers, was attributable to any failure by Sony to comply with any legal duties applicable to the storage and use of the stolen data. Plaintiff’s claims are further undermined by her failure to allege that she – or any other putative class member – suffered any losses resulting from the data breach. As exemplified by a Ninth Circuit decision last summer, courts are increasingly requiring proof of financial loss as a pre-requisite to maintaining a claim for breach of contract arising from a data breach. In the absence of losses that were caused by the PlayStation Network data theft, would-be class members are unlikely to have any actionable claim. Proving that class members have suffered such losses would require individualized fact finding that would preclude maintaining the Thompson case as a class action.
It is not possible to predict the viability of litigation arising from the PlayStation Network data breach based solely on the Thompson complaint. The complaint has all of the hallmarks of a pleading that has been slapped together quickly in order to win a race to the courthouse, including both misspellings (in the case caption, the defendant is identified as an “LCC” instead of “LLC”) and vague factual allegations made “on information and belief.” Should ongoing state and federal investigations reveal conduct that has breached legal duties owed by Sony to the PlayStation Network subscribers, it might then be possible for a subscriber who has actually suffered harm such as identity theft to state a viable claim against Sony. Unless evidence of specific misconduct and losses comes to light, however, it is unlikely that quickly-filed lawsuits such as the Thompson class action will meet with much success.