Sony data breach lawsuit largely dismissed

Hackers compromised the personal data of around 77 million PlayStation users during the 2011 incident, attacking the PlayStation Network, the Qriocity service and Sony Online Entertainment, causing a PSN outage for more than a month. The breach prompted a class-action suit brought by victims seeking financial recompense for what they alleged was Sony's negligence in data security, firewall readiness and data encryption. 

Now, according to Courthouse News, a US District judge has cleared Sony of any major wrongdoing in the case, with the court dismissing claims including negligence, unjust enrichment, bailment and violations of California consumer-protection statutes. Also, Sony was not found to be in violation of consumer-protection laws, because the named plaintiffs in the suit were getting PSN services without a subscription, "and thus received the PSN services free of cost,” Judge Anthony Battaglia wrote in the 36-page dismissal.

He also dismissed a bailment charge because "plaintiffs freely admit, plaintiffs' personal information was stolen as a result of a criminal intrusion of Sony's Network. Plaintiffs do not allege that Sony was in any way involved with the data breach."

Further, the suit alleged that Sony was misleading in its stated consumer information protection guarantees, but Battaglia said that because users signed the Sony Privacy Policy, which included "clear admonitory language" when it came to Sony's security policies, "no reasonable consumer could have been deceived.”

The class-action suit has now been given leave to amend its claims.

The breach was one of the largest in history, and has prompted not only legal action but also Congressional interest since it was first reported 18 months ago. Sony pinned the cost of the breach at $171 million, but court costs and reputational damage will clearly inflate that figure before all is said and done.

Sen. Richard Blumenthal (D-Conn.), said in a letter to Jack Tretton, Sony Computer Entertainment America president and chief executive, that Sony should pay for credit report services for PlayStation users and insurance to protect them against any financial consequences of the breach.

“I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach,” Blumenthal wrote in 2011.

Making matters worse, shortly after restoring its network, Sony Pictures was hit by a second data breach, drawing yet more unwanted publicity to the company. Hacking collective Lulzsec took responsibility.

In the aftermath of the breaches, Sony pledged to revamp its security practices and named Philip Reitinger as senior vice-president and CISO, reporting to general counsel Nicole Seligman.

What’s hot on Infosecurity Magazine?