Skip to main content

Court Decision in Sony PlayStation Data Breach Case Places Burden on Plaintiffs to Allege Actual Damages

Written by Kevin McGinty

Class action plaintiffs asserting claims against Sony in connection with the 2011 Sony PlayStation Network (“PSN”) data breach face permanent dismissal of their claims unless they can allege actual losses resulting from the breach.  In an October 11 decision, a federal court in Los Angeles granted in part Sony’s motion to dismiss plaintiffs’ claims, holding that plaintiffs had not pleaded the existence of sufficient injury or damages to support their claims for negligence and for violation of California’s unfair competition law (“UCL”) .  The decision granted plaintiffs leave to file an amended complaint to attempt to plead sufficient losses to support their claims.  It is unclear whether plaintiffs will be able to do so and, even if they can, the nature of the injuries and damages that would have to be alleged to survive a renewed motion to dismiss are likely to be too individualized to lend themselves to certification of a plaintiff class.

As previously reported in this blog, the claims against Sony relate to a 2011 data breach that allegedly resulted in the theft of credit card and password information relating to users of PSN and Sony’s Qriocity service.  After the data breach occurred, Sony shut down PSN and Qriocity to address potential security issues, and notified users of the breach.  Sony offered users compensation in the form of free identity theft protection services and certain free downloads and online services.

The lawsuit claims that Sony knew or should have known of its system’s vulnerability and, nonetheless, negligently failed to maintain proper security.  Plaintiffs allege that the data breach injured them by reason of network downtime after the data breach, fraudulent credit card charges made against certain plaintiffs’ credit cards,  and the risk of identity theft.   Notably, plaintiffs who claimed that unauthorized charges were made against their credit cards did not allege that they were personally responsible for paying those charges.  Sony moved to dismiss on several grounds, focusing primarily on the absence of injury.   In particular, Sony claimed that failure to allege actual out-of-pocket losses  meant that there was not an injury in fact sufficient to permit standing to sue under Article III of the United States Constitution.  Sony also argued that the absence of out-of-pocket damages meant that plaintiffs failed to state claims for negligence and for violation of the UCL.

The court rejected the argument that the absence of out-of-pocket damages deprived plaintiffs of Article III standing, finding that risk of future harm associated with the exposure of personal data is sufficient to establish a justiciable case in controversy.  Such potential future harm, however, was deemed insufficient to state a claim for negligence or for violation of the UCL.  “Under California law,” the court stated “appreciable, nonspeculative, present harm is an essential element of a negligence cause of action.”  The risk of future harm does not meet this standard, thus requiring dismissal of plaintiffs’ negligence claim.  Similarly, because actual loss of money or property is a required element of plaintiffs’ UCL claims, the absence of any such allegations was fatal to that claim as well.  Accordingly, as many other courts have held, the inability to show present actual loss or injury will be fatal to claims arising from a data breach.   (For a more detailed discussion of such cases, please see this previous blog entry).  Plaintiffs have been granted leave to file an amended complaint to the extent that they can allege specific losses to satisfy the pleading elements for their negligence and UCL claims.

The absence of actual injury was not the only ground for dismissal of plaintiffs’ claims.  Claims against two Sony-related defendants were dismissed with prejudice for lack of standing because none of the plaintiffs were customers of those defendants.  Plaintiffs’ negligence claims failed not only for lack of damages but also based on the absence of plausible allegations of negligent conduct and failure to allege sufficient special circumstances that would permit maintaining a negligence claim for economic losses in the absence of physical injury.  The court dismissed with prejudice the purported assertion of claims under the California UCL on behalf of non-California residents, holding that any unfair competition claims that might be asserted on behalf of such individuals can only be brought under the laws of the states in which they reside.  Also dismissed with prejudice was a claim for unjust enrichment, which is an equitable remedy not available as a separate cause of action under California law.

Even if plaintiffs can allege sufficient facts to meet their pleading burden, it will be extremely difficult for them to obtain certification of a plaintiff class.  Certification of a class to seek money damages under Fed. R. Civ. P. 23(b)(3) requires a showing that issues of fact and law common to the class as a whole predominate over issues that are specific to individual class members.  The types of losses that would be sufficient to avoid dismissal are highly individualized because they require each class member to establish out-of-pocket loss, which cannot be determined through proof common to the class as a whole.  Thus, even though plaintiffs retain the ability to continue this case by filing an amended complaint, it appears doubtful that any amended complaint would provide a viable means to maintain a class action against Sony in connection with the PSN data breach.

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.