A familiar refrain of some corporate clients discussing data breaches is: “We’re not a health care company. We also don’t process customer credit card transactions. We really don’t collect protected health information or personally identifiable information from customers in any way. Do we need to be worried about data breaches?” A June 15, 2015 decision from the U.S. Central District of California reaffirms that the answer is a resounding, unqualified YES for any company that has employees, which means almost any company of any kind, regardless of whether it provides health-care-related services or processes customer credit card transactions.
In Corona v. Sony Pictures Entertainment (14-CV-09600 RGK (Ex)), Judge Klausner handed Sony employees a significant victory, holding that their negligence and California Unfair Competition Law (Cal. Bus. & Prof. Code Sec. 17200, “UCL”) claims were viable. As with most Rule 12 data breach class action challenges, Sony’s first line of attack was that the plaintiffs lacked Article III standing under the U.S. Constitution because they had suffered no “injury in fact.” The court disagreed, finding that the allegations that the protected health information (“PHI” such as medical information) and personally identifiable information (“PII” such as financial information) of the employees were posted on file-sharing websites for identity thieves to download, and that the employees had been threatened with physical harm by identity thieves were sufficient to state an injury in fact.
Sony also argued as to the negligence claims that the plaintiffs had failed to adequately allege the element of injury, and that the claims were barred by the economic loss doctrine. The court again disagreed, finding sufficient allegations of injury because of public disclosure of PII and PHI on file-sharing websites and that the economic loss doctrine did not bar the claims because a special relationship existed between the employees and Sony that required the plaintiffs to provide their PII and PHI to Sony in exchange for compensation and benefits.
The UCL claims likewise survived because of sufficient allegations of injury in fact, and the court deemed Sony’s attack on the injunctive and declaratory relief claims premature.
As to the other claims, the court dismissed the breach of implied contract claims with prejudice because there were no facts indicating that Sony intended to frustrate the common purpose of the employment agreements (employment in exchange for compensation and benefits). The court also dismissed the California Customer Records Act (Cal. Civ. Code Sec. 1798.80, et seq.) claims with prejudice because the statute was intended to protect customers, not employees, and there were no allegations that Sony had violated the statute as to customers. And the court dismissed, without prejudice, the Virginia and Colorado data breach notification statute (Va. Code Sec. 18.2-186.6(B), Colo. Rev. Stat. Ann. Sec. 6-1-716(2)) claims because the plaintiffs had not alleged any injury arising from the alleged untimely notification.
This decision once again highlights that data breach is a problem that affects virtually any corporation, regardless of the nature of its business, because to receive compensation and benefits, employees generally must share PII and PHI with the corporation (creating obligations for the corporation to protect and respond to any breach of that information). Potential data breach class action adversaries are not just external to the corporation. The claims can also come from insiders.