Sony Playstation May Prove To Be Trailblazing In A New Arena - the Courtroom

Sony Playstation is well known for its innovative game platform and cutting-edge gaming technology.  (It is our favorite system at home!)  Sony soon may have the opportunity to blaze new trails in the legal arena as well.

In the wake of the widely publicized April hack into the Playstation Network have come, unsurprisingly, a number of lawsuits.  Several putative class actions allege violations of various state laws, breach of contract and a number of tort theories. 

Many of the allegations are what one would expect - failure to maintain reasonable security precautions, inappropriate retention of personal data, breach of representations in Sony's user agreements, etc., but among the more interesting is the claim that Sony failed timely to disclose the breaches to its customers. 

44 states plus DC - and including California -require businesses to notify consumers if their personal data have been compromised.   A few of those states allow a fixed amount of time (typically 45 days) from discovery of a breach in which notice must be provided.  Most specify that it should be provided as quickly as possible, but almost all allow for delay if earlier disclosure would impede law enforcement or if delay is needed to restore network integrity. 

Here, Sony undeniably advised customers of certain of its services that their data may have been compromised a little over a week after the breach and notified others about a week later - hardly what one ordinarily would consider an overly long delay.   Indeed, Sony's CEO explained in a blog post (blogs - the preferred way to communicate!):

I know some believe we should have notified our customers earlier than we did. It’s a fair question. As soon as we discovered the potential scope of the intrusion, we shut down the PlayStation Network and Qriocity services and hired some of the best technical experts in the field to determine what happened. I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had — or had not — been taken.

So it may be that Sony did not even know whose data had been hacked until sometime after the initial discovery of the problem, making an allegation of "delay" even more questionable.  Of course, I don't know the facts here, and presumably they will be discovered should the suits continue.

Nonetheless, these suits have the potential to realize two of the most significant criticisms of these state laws at the time they first became popular:

·          Holding companies to an impossibly short standard on when to provide notice might force them to notify prematurely, resulting in notices when no actual breach occurred or to people whose data were not compromised.  A succession of "false alarms", in turn, may cause the public to ignore these notices - and miss one that really does matter.  

·          Companies also expressed concern that these statutes would become vehicles for class action windfalls, even where no actual harm has occurred.  Most preclude private rights of action; a few  -including California - permit them. 

 (What, you ask?  How could this not have caused harm?  Well, for certain kinds of data (credit card information) consumers are protected from real loss, provided they notice unauthorized charges on their statements.  Typically, companies that suffer a breach also offer free credit monitoring and other services to detect potential identity theft.  Theft of personal data is serious business and, depending on the circumstances, can be devastating.  That does not mean it always results in harm, and I am not aware of any credible allegation of harm to individuals from this incident as of yet.)   

Plaintiffs also complain that they were denied access to the Playstation Network while Sony was investigating the breaches.  

Adding insult to injury, Sony also has been sued by its insurers, who seek a declaratory judgment that any liability resulting from the incident is not covered under its policies.  The insurers characterize the policies as covering "bodily injury," "property damage," "advertising injury" and "personal injury liability" and argue that unauthorized access to and theft of personal data does not fall into any of those categories.

Thus, over the next several months, we may see interesting caselaw on the subject of notice, how quickly it is required and what circumstances excuse delay, and on whether data privacy-related injury can fall within the scope of insurance policies that do not expressly cover that category of injury.

Even if Sony defeats the class claims, the legal expenses and associated headaches will reverberate for quite some time.  Regardless of how these cases unfold, Sony soon may be blazing trails in ways it surely never wished.