"They did it again," said Brian Strange, an attorney with Strange & Carpenter.
Strange was referring to Sony, the Japanese electronics conglomerate that finds itself the victim of a massive data breach for the second time in three years. Strange was one of the attorneys who filed a class action lawsuit against Sony the first time around, back in 2012, after up to 77 million members of its PlayStation Network had their personal information stolen by hackers who exploited Sony's weak cybersecurity defenses.
Sony only settled the PlayStation class action in July, agreeing to give away $15 million worth of games and services to affected customers, but less than six months later it may be facing class action litigation yet again.
"I think they violated basic industry standards for encryption of employees information," Strange said of the latest hack.
This time around, it appears that those most affected by the breach were employees of Sony Pictures Entertainment, meaning the company could be sued by its own workers. Reams of personal information — social security numbers, health insurance reimbursements, performance evaluations, even one executive's breastfeeding schedule — were exposed in the hack.
Much of this information was stored in unencrypted, and often non-password-protected, files that were easy picking for determined hackers. To be sure, the two batches of leaked files from Sony Pictures exhibits a remarkably lax approach to data security, such as one directory called "passwords" with more than 100 documents containing logins and passwords for business services like LexisNexis and Bloomberg along with personal services like Fidelity.
Strange said that a lawsuit led by current and former employees, many of whom had personal information included in the leak despite not being with Sony anymore, "would absolute[ly] be an avenue to file an action."
When U.K. regulators fined Sony for the PlayStation breach early last year, David Smith, the deputy commissioner and director of data protection at the Information Commissioner's Office, said: "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough."
While Sony Pictures Entertainment is a different division of the Japanese conglomerate than PlayStation, Smith's condemnation is still damning for the entire company.
"With the parallels between the prior breach and this one, I don't think blaming a third party is a defense that will work," Strange said. "If you have personal information that's shared, you have to follow standards of encryption, and if you don't you should be held responsible."
"[Sony] is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe," Smith said when announcing the U.K.'s penalty for Sony last year.
James Janowitz, who runs the entertainment practice at Pryor Cashman, said that Sony is more likely to face regulatory inquiries than a criminal investigation. Since Sony is the victim of the hack, Janowitz said, most of the legal work for the company will be seeing if they complied with data protection rules from federal and state regulators and law enforcement.
"There's a lot of stuff, they could be in a world of hurt," Janowitz said, referring to the personal, financial, and health information in the leaked documents. "They're going to have all kinds of compliance people making sure they are complying with all of the agencies that they need to deal with, that's a big headache."
California, for instance, requires residents of the state be notified when their personal information is breached "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."
David Beltran, a spokesman for the California Attorney General's office, told BuzzFeed News that as of Wednesday night, the office was yet to be notified.
The Attorney General's office sued the health care provider Kaiser earlier this year over slow notifications following a data breach. Unlike in that instance, however, the Sony leak has been widely publicized and was discussed in detail in a memo to employees obtained by The Hollywood Reporter.
Moreover, before it reached a settlement in the PlayStation lawsuit, Sony offered hacking victims free credit monitoring. It is doing the same thing with current and former employees this time around, a Sony spokesperson said.
Matthew Zeitlin is a business reporter for BuzzFeed News and is based in New York. Zeitlin reports on Wall Street and big banks.
Contact Matthew Zeitlin at email@example.com.
Got a confidential tip? Submit it here.