Sony Pictures Entertainment is facing not one but three class action lawsuits from disgruntled employees who believe the movie giant failed to adequately protect their personal information from hackers last month.
Sensitive information including social security numbers and medical records was leaked online following a destructive malware attack last month which forced the IT team to shut down the entire corporate network.
After lawsuits filed on Monday and Tuesday this week, the third was led by former employees Joshua Forster and Ella Carline Archibeque.
The two are alleging Sony violated California’s Customer Records Act, Confidentiality of Medical Information Act and the state’s Unfair Competition law, and want at least $5 million in damages, according to the Hollywood Reporter.
The main prosecution argument is apparently that Sony Pictures failed its staff by not having strong enough security measures in place to ward off the initial attack, to swiftly detect it had been breached, and to ensure sensitive data was encrypted.
The lawsuit, seen by the paper and filed by Matthew George at Girard Gibbs, has the following:
"Since the breach SPE has focused its remediation efforts on securing its intellectual property from pirates and a public relations campaign directed at controlling the damage associated with the release of embarrassing internal emails. Meanwhile, SPE delayed confirming the data breach for a week and left its employees in the dark about the scope of the breach, how they and their families were impacted, and what steps SPE is taking to remedy or mitigate the breach."
It looks to be another costly data breach for Sony, which earlier this week was forced to delay $40m movie The Interview after major distributors pulled out following online threats to terrorize cinema-goers by a group claiming responsibility for the original cyber attack.
Some unnamed security sources have implicated North Korea in the attack as Pyongyang was angered by the film, which lampoons the hermit nation, and Korean script was found in some of the malware.
However, others have claimed this could be a red herring designed to throw investigators off the scent.
Philip Lieberman, CEO of identity management firm Lieberman Software, argued that the attacks facing Sony were “forseen, are regularly rebuffed and the consequences could have been minor.”
“These lawsuits are the beginning of a groundswell of litigation that will pit corporate CEOs against the public where they will have to defend their behavior of reduction of IT costs versus taking reasonable care in the handling of their security,” he added.
“This is also a failure of the US government to provide clear guidance to private enterprise as to what is ‘reasonable care’ in IT security.”