Friday, January 31, 2014

Sony data breach case stripped down but not gone

In re Sony Gaming Networks And Customer Data Security Breach Litigation, No. 11md2258, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014)

Venkat Balasubramani’s take.  These consolidated cases arose from a criminal intrusion into Sony’s online gaming system. Plaintiffs alleged that Sony failed to provide reasonable network security, including utilizing industry-standard encryption, to safeguard the personal and financial information stored on Sony’s network.

Sony’s online services allow people to play games, and for a fee to access additional content, including games and movies; they can also access other services such as Netflix on their Sony PlayStations consoles.  Acessing the services required agreeing to Sony’s Terms of Service and providing Sony with personal identifying information, including names and credit card information.  Hackers accessed millions of customers’ data in April 2011, which Sony allegedly didn’t disclose for a while, though it took the network offline a few days later and kept it down for almost a month while it audited the system.  During that time, plaintiffs couldn’t use Sony’s online services, and many couldn’t access the third party services either.  Sony allegedly continued to misrepresent the circumstances of the breach and didn’t inform the public about the breach in one variant of its serices for roughly ten days.  Then it made a public statement that user personal information had been compromised, and encouraged those affected to “remain vigilant, to review [their] account statements[,] and to monitor [their] credit reports.”  Sony allegedly admitted that its failures “may have had a financial impact on our loyal customers. We are currently reviewing options and will update you when the service is restored.” Further, Sony conceded that some games couldn’t be played offline.  A week later, Sony took a different service offline and announced that it too might have been compromised.  Sony ultimately announced that it would provide US users with free identity theft protection services and certain free downloads and online services.

The named plaintiffs suffered service interruptions and some alleged that they bought credit monitoring services to protect themselves or suffered unauthorized credit card charges.

There are 51 counts in this multidistrict complaint; they can be grouped as: (1) negligence; (2) negligent misrepresentation; (3) breach of express warranty; (4) breach of implied warranty; (5) unjust enrichment; (6) violation of state consumer protection statutes; (7) violation of the California Database Breach Act; (8) violation of the federal Fair Credit Reporting Act; and (9) partial performance/breach of the covenant of good faith and fair dealing.

The court reaffirmed its holding that the plaintiffs had Article III standing: the dissemination of their sensitive personal information increased the risk of future harm. Clapper v. Amnesty International, 133 S.Ct. 1138 (2013), didn’t change that, although that case found that the plaintiffs there hadn’t alleged sufficient injury to challenge FISA surveillance because they hadn’t shown that targeting of their communications was “certainly impending” (subsequent revelations might affect one’s evaluation of this argument), and because the costly and burdensome measures they’d taken to protect confidentiality couldn’t themselves establish standing.  The court here found that Clapper didn’t impose a new requirement, just rejected “a speculative chain of possibilities based on potential future surveillance.”  Here, there was an alleged wrongful disclosure, which was enough for standing—plaintiffs alleged a “credible threat” of impending harm.

The negligence claims lost for various reasons.  For example, though plaintiffs alleged a brief delaby between the intrusion and Sony’s consumer notification, they failed to allege that their injuries—credit monitoring services, loss of use and value of the services, and/or diminished value of their game consoles—were proximately caused by the allegedly untimely delay.

The court found that commercial entities had a legal duty to safeguard a consumer’s confidential information entrusted to them using reasonable security measures, including industry-standard encryption, under California and Massachusetts law.  However, the economic loss doctrine precluded recovery; plaintiffs didn’t allege a “special relationship” with Sony beyond those envisioned in everyday consumer transactions, so they couldn’t avoid the economic loss doctrine.

As for negligent misrepresentation/innocent misrepresentation/negligent omission claims, they went down for various reasons (e.g., negligent misrepresentation is not available in Ohio for non-business-based claims), primarily because the misrepresentation claims were based on statements in user agreements/the privacy policy, which were presented to plaintiffs after they bought their consoles.  Thus, they couldn’t plausibly allege pecuniary loss as a result.

The user agreements required California law for the breach of warranty claims, which kicked out more causes of action based on the laws of various states; implied warranty claims also failed because of the existence of an express agreement disclaiming implied warranties, and because network services aren’t “goods” under the UCC.  The existence of a valid contract also doomed various unjust enrichment claims.

As for the consumer protection claims: Begin with California, and of course with standing, which requires injury in fact/economic injury caused by the unfair business practice or false advertising that is the gravamen of the claim.  The court found that plaintiffs adequately alleged harm stemming from Sony’s omissions at the point of purchase.  Though the network was free/plaintiffs registered after acquiring their consoles, plaintiffs alleged that access to the network, and internet access via their consoles, was a key feature of the consoles.  They further alleged that if Sony had disclosed that the network wasn’t reasonably secure, or that it didn’t use industry-standard encryption to secure their personal information, they wouldn’t have bought, or would have paid less for, the consoles.  Although plaintiffs couldn’t have reasonably relied on the post-purchase-disclosed user agreement/privacy policy, they could have relied on the alleged fraudulent omissions.

But did plaintiffs plead with particularity? While no reasonable consumer would believe that Sony promised to provide continued and uninterrupted access, plaintiffs suffficiently pled that Sony misrepresented that it would take “reasonable steps” to secure their personal information, and that Sony used industry-standard encryption “to prevent unauthorized access to sensitive financial information.”   Though Sony disclaimed perfect security, deceptiveness was a question of fact given Sony’s representations about industry-standard encryption.  The fraud-based omission claims were also sufficiently pled (relating to Sony’s failure to tell consumers it didn’t have adequate safeguards in place, failure to immediately notify consumers of the intrustion, and failure to disclose material facts about the security of its network).  Plaintiffs also sufficiently alleged a basis for restitution—Sony benefited financially from the sale of consoles based on fraudulent omissions.  However, UCL/FAL claims for injunctive relief failed for want of specificity.  Sony argued that the CLRA didn’t apply to registration for free network services, but omissions at the point of console purchase were a different matter.

Florida (FDUTPA): Dismissed for want of actual damages, which means a difference in market value of service delivered versus market value in the condition in which it should have been delivered.  The Florida plaintiffs didn’t allege that they wouldn’t have bought their consoles but for Sony’s deceptive conduct, and they failed to allege that a reasonable person would’ve behaved differently at the point of purchase absent the challenged conduct; plaintiffs’ allegations were about the post-purchase user agreement and privacy policy. Consequential damages are unavailable in Florida, so what plaintiffs paid for third party services disrupted by the security problems was unrecoverable.  And disclosure of personal information wasn’t actual damage, since personal data doesn’t have an apparent monetary value that can be priced. However, the Florida claims for declaratory/injunctive relief survived, despite the privacy policy’s disclaimer of perfect security. Again, Sony allegedly warranted that it would take “reasonable” security measures and use industry-standard encryption, but didn’t; this created a factual issue.

Michican’s Consumer Protection Act: essentially the same result.  (This opinion is a bear, but the judge did not take any shortcuts; each state’s law is specifically considered, even though the results are pretty much in tandem.)

Missouri Merchandising Practices Act: Claim survived, for reasons similar to those offered for California.

New Hampshire Consumer Protection Act: Claim for statutory damages survived, as the NHCPA “does not require a showing of actual damages for the claimant to be awarded the statutory minimum and attorneys’ fees.” Literally true but misleading claims are actionable, and the necessary “rascality” was sufficiently alleged here; the New Hampshire Supreme Court has upheld a NHCPA claim when a defendant “made representations [ ] knowing that he lacked sufficient knowledge to substantiate them.”  However, statutory damages were disallowed in the absence of actual damages in the class action context. Plaintiffs failed to allege actual damages resulting from Sony’s alleged material misrepresentations, so the class action allegations were dismissed, but not claims for injunctive relief.

New York Deceptive Practices Act: Dismissed for lack of actual injury caused by Sony’s alleged material misrepresentations.  Lost privacy/value of personal information stemming from a data breach wasn’t enough, at least where the loss was unintentional rather than intended by the defendant.  See the Florida analysis for the court’s treatment of the rest of the claimed harms, which also led to dismissal of the Texas claims. Comment: despite differences in courts’ wording of the test, these states and many others have basically the same rules. This suggests that courts should be more willing to entertain multistate class actions, with some grouping when necessary.

Ohio consumer protection statutes: Because the “vast majority of federal courts and all lower state courts to address the issue have concluded that relief under the [Ohio Deceptive Trade Practices Act] is not available to consumers,” the court found that plaintiffs lacked standing.  As for the Ohio Consumer Sales Practices Act, consumer class actions require that the defendant’s alleged violation be “substantially similar to an act or practice previously declared to be deceptive” by the Ohio Attorney General or an Ohio state court, and plaintiffs couldn’t meet that standard.

The damage claims under the California Database Breach Act were dismissed (no damages caused by delay in notice) but not the injuctive relief claims.  Sony wasn’t a consumer reporting agency and therefore couldn’t violate the Federal Fair Credit Reporting Act.  Finally, the court allowed a claim for partial performance/breach of the covenant of good faith and fair dealing to go forward, based on allegations that Sony didn’t perform under a settlement agreement between the parties.

No comments: