In re Sony Gaming Networks & Customer Data Security Breach Litigation
2014 U.S. Dist. LEXIS 7353, 996 F. Supp. 2d 942, 82 U.C.C. Rep. Serv. 2d (West) 493 (2014)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
The wrongful disclosure of consumers' personal and financial information following a data breach constitutes a credible threat of impending harm sufficient to establish Article III standing. However, negligence claims seeking purely economic losses are generally barred by the economic loss doctrine unless a special relationship exists between the parties.
Facts:
- Sony Computer Entertainment America, LLC and its affiliates (collectively, 'Sony') developed and marketed PlayStation consoles that allow users to access the internet and the PlayStation Network ('PSN').
- To create a PSN account, which was offered free of charge, consumers were required to agree to Sony's Terms of Service and Privacy Policy and provide personal identifying information, including names, addresses, and credit or debit card details.
- In mid-April 2011, hackers infiltrated Sony's network and stole the personal information of millions of customers, including the named Plaintiffs.
- Sony discovered the security breach as early as April 17, 2011.
- On April 20, 2011, Sony took the PSN offline but did not immediately inform users of the data theft.
- The PSN remained offline for nearly a month, during which time users could not access online gaming features or certain third-party services like Netflix through their consoles.
- On April 26, 2011, Sony publicly announced that user personal information had been compromised in the intrusion.
Procedural Posture:
- Numerous civil actions were filed against Sony in various federal district courts following a data breach.
- The Judicial Panel on Multidistrict Litigation transferred and consolidated these actions into a single case before the U.S. District Court for the Southern District of California, a court of first instance.
- A Plaintiffs' Steering Committee filed a Consolidated Class Action Complaint.
- Sony filed a motion to dismiss the Consolidated Complaint.
- The district court granted the motion in part and denied it in part, allowing Plaintiffs to amend their complaint.
- Plaintiffs then filed a First Amended Consolidated Class Action Complaint (FACC), which prompted the current motion to dismiss by Sony.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does the wrongful disclosure of consumers' personal and financial information following a criminal data breach create a credible threat of impending harm sufficient to establish Article III standing, even if no actual identity theft has yet occurred?
Opinions:
Majority - Battaglia, J.
Yes, the wrongful disclosure of personal information creates a credible threat of impending harm sufficient for Article III standing. The court reasoned that the Ninth Circuit's precedent in Krottner v. Starbucks, which found standing based on a 'credible threat of harm' that is 'real and immediate,' remains controlling. The Supreme Court's subsequent decision in Clapper v. Amnesty International did not establish a new, stricter standard for standing but merely reiterated that the alleged harm must be 'certainly impending' rather than based on a 'speculative chain of possibilities.' Unlike the speculative future surveillance in Clapper, the plaintiffs here suffered an actual theft and disclosure of their sensitive personal data, creating a plausible and impending risk of future harm like identity theft. However, the court dismissed most of the plaintiffs' substantive claims. The negligence claims were dismissed under the economic loss doctrine, as the plaintiffs sought purely economic damages (e.g., credit monitoring costs, diminished product value) without alleging personal injury, property damage, or a 'special relationship' with Sony under the J'Aire test. The court also dismissed breach of warranty claims due to choice-of-law provisions and valid disclaimers in the user agreements, and dismissed unjust enrichment claims because an express contract governed the parties' relationship. While most state consumer protection claims were dismissed for failing to meet specific statutory requirements, the court allowed California consumer protection claims to proceed on a theory of fraudulent omission, finding it plausible that Sony's failure to disclose its inadequate security at the time of the console sale constituted a material omission that caused consumers economic harm.
Analysis:
This decision solidifies a plaintiff-friendly approach to Article III standing in data breach cases within the Ninth Circuit, distinguishing the concrete harm of data theft from more speculative future injuries discussed in Clapper. However, the opinion also underscores the significant challenge plaintiffs face in recovering damages under common law tort theories due to the economic loss doctrine. By dismissing the negligence claims, the court pushes data breach litigation towards statutory causes of action, such as state consumer protection laws, which have their own unique and often stringent pleading requirements. The case illustrates that while victims of a data breach may successfully get into federal court, surviving a motion to dismiss on substantive claims for monetary damages remains a major hurdle.
