An order handed down yesterday by a federal judge in the Southern District of California in In re: SONY GAMING NETWORKS AND CUSTOMER DATA SECURITY BREACH LITIGATION gutted much of the plaintiffs’ lawsuit against Sony over their 2011 PlayStation hack, but allows some important claims to go forward.
As background, Judge Battaglia summarized the litigation in the First Amended Consolidated Class Action Complaint (FACC) this way:
The fifty-one claims alleged in the FACC can be categorized into nine sub-groups: (1) negligence; (2) negligent misrepresentation; (3) breach of express warranty; (4) breach of implied warranty; (5) unjust enrichment; (6) violation of state consumer protection statutes; (7) violation of the California Database Breach Act; (8) violation of the federal Fair Credit Reporting Act; and (9) partial performance/breach of the covenant of good faith and fair dealing. Sony moves to dismiss the FACC on the basis that Plaintiffs lack standing and that each cause of action fails to state a claim upon which
relief can be granted. Each is discussed in turn.
And discuss them he did – in a 97-page order.
I won’t pretend to have thoroughly read the order, nor to understand all the points of law. All I’ll do here is pull out a few sections that I found particularly interesting, beginning with this section:
i. Legal Duty to Provide Reasonable Security
Although neither party provided the Court with case law to support or reject the existence of a legal duty to safeguard a consumer’s confidential information entrusted to a commercial entity, the Court finds the legal duty well supported by both common sense and California and Massachusetts law. See, e.g., Witriol v. LexisNexis Grp., No. C05-02392 MJJ, 2006 WL 4725713, at *8 (N.D. Cal. Feb. 10, 2006); CUMIS Ins. Soc’y., Inc. v. BJ’s Wholesale Club, Inc., No. 051158, 2005 WL 6075375, at *4 (Mass. Super. Dec. 7, 2005) aff’d, 918 N.E.2d 36 (Mass. 2009); Yakubowicz v. Paramount Pictures Corp., 536 N.E.2d 1067, 1070 (Mass. 1989) (“A basic principle of negligence law is that ordinarily everyone has a duty to refrain from affirmative acts that unreasonably expose others to a risk of harm.”). As a result, because Plaintiffs allege that they provided their Personal Information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their Personal Information, including the utilization of industry-standard encryption, the Court finds Plaintiffs have sufficiently alleged a legal duty and a corresponding breach.
Later, in the section on Fraud-Based Affirmative Misrepresentations, Judge Battaglia writes:
However, the Court finds Plaintiffs’ final two contentions are sufficiently plead. Plaintiffs allege that Sony misrepresented that it would take “reasonable steps” to secure Plaintiffs’ Personal Information, and that Sony Online Services use[d] industry-standard encryption to prevent unauthorized access to sensitive financial information.” (Doc. No. 94-2, Ex. B at 6.) Although Sony seeks to combat these allegations by stating that Sony disclaimed any right to so-called “perfect security,” the Court agrees with Plaintiffs that whether or not Sony’s representations regarding “reasonable security” were deceptive, in light of Sony’s additional representations regarding “industry-standard” encryption, are questions of fact not suitable for disposition on a motion to dismiss. Thus, because Sony made competing, potentially ambiguous representations, the Court cannot find the representations were are not deceptive as a matter of law. See Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 508 (Cal. Ct. App. 2003) (“A perfectly true statement couched in such a manner that it is likely to mislead or deceive the consumer, such as by failure to disclose other relevant information,” is actionable). This determination is more properly adjudicated after discovery regarding Sony’s use or non-use of industry standard encryption. Accordingly, the Court GRANTS Sony’s motion to dismiss the UCL, FAL, and CLRA claims based on affirmative misrepresentations regarding Plaintiffs’ ability to access the PSN and connect to the Internet, and DENIES Sony’s motion to dismiss Plaintiffs’ claims based on affirmative misrepresentations contained within the PSN User Agreement and the PSN Privacy Policy regarding “reasonable security” and “industry-standard encryption.” (FACC ¶¶ 149-150, 155, 163, 175.)
So Judge Battaglia denied Sony’s motion to dismiss claims filed under California’s Unfair Competition Law (UCL) and California’s False Advertising Law (FAL) based on misrepresentations and omissions regarding reasonable network security and industry-standard encryption and Plaintiffs’ ability to seek restitution under the statutes (Counts 1, 2). He also denied dismissal of the California Consumer Legal Remedies Act (CLRA) claim based on misrepresentations and omissions regarding reasonable network security and industry-standard encryption (Count 3).
Another section I noted concerned the plaintiff’s ability to recover costs incurred to purchase credit monitoring services, as this is an issue that has come up in other cases as well:
Second, with respect to Howe’s ability to recover costs incurred to purchase credit monitoring services, the Court finds Howe has failed to allege why these prophylactic costs were reasonably necessary, and therefore proximately caused by Sony’s alleged breach.18 In assessing whether credit monitoring services in the context of data breach cases are recoverable in negligence, courts have generally analogized to medical monitoring cases, which require a plaintiff to plead that the monitoring costs were both reasonable and necessary.19 See Stollenwerk, 254 F. App’x at 666; Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 639 (7th Cir. 2007). As a result, courts assessing data breach cases have found that where a state allows recovery for medical monitoring damages (as does California), and a plaintiff has sufficiently alleged a threat of identity theft (i.e., the opening of unauthorized accounts), a plaintiff may seek to recover expenses to purchase credit monitoring services. However, as with the recovery of medical monitoring costs, this is a high burden and requires a plaintiff to plead both a logical and temporal connection between the decision to purchase credit monitoring services and the defendant’s alleged breach. See Stollenwerk, 254 F. App’x 664 at 668; Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 915 (N.D. Cal. 2009) aff’d, 380 F. App’x 689 (9th Cir. 2010) (“Ruiz cannot meet California’s standard for recovery of monitoring costs because he has presented no evidence that there was a significant exposure of his personal information, and he has presented no evidence that he has become a victim of identity theft.”).
Here, Plaintiff Howe has not met this high burden because has not alleged any instances of identity theft resulting from the intrusion. See Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705, 709 (S.D. Oh. 2007) (stating that the recovery of credit monitoring services as a measure of cognizable damages is a question of law to be decided by the court). Although Howe alleges that he was forced to close two bank accounts, Howe does not allege when he closed these accounts, why he closed these accounts, or whether he has ever been a victim of identity theft in the past. (FACC ¶ 22.)
These allegations remain unchanged even though Plaintiffs were permitted leave to amend the Consolidated Complaint after Sony’s initial motion to dismiss. Therefore, in accordance with analogous medical monitoring cases and data breach cases from other districts, the Court finds Howe has failed to allege that his prophylactic credit monitoring costs were a reasonable foreseeable result of Sony’s alleged breach.20
So no joy there for data breach victims who elect to purchase credit monitoring services when they have not become victims of ID theft and there are no reports that suggest that others have become victims of ID theft due to the breach.
You can read the full order to find out what happened to the other counts of the complaint here.
As a reminder, Sony was fined £250,000 by the U.K. Information Commissioner’s Office over the breach. What, if anything, the FTC has done or is doing has not been made public.