SAN FRANCISCO/ LOS ANGELES – The massive hack of Sony Pictures Entertainment Inc. computers has spurred two lawsuits by former employees accusing the company of failing to protect the personal information of thousands of workers.
The two ex-employees who sued Monday called the breach “an epic nightmare, much better suited to a cinematic thriller than to real life.” Two others who sued Tuesday said Sony knew retribution for “The Interview,” a comedy depicting a mission to assassinate North Korean leader Kim Jong Un, was inevitable and created an unreasonable risk for them.
Sony knew it had inadequate measures in place to protect its data and suffered breaches twice before this year’s attack, in which hackers got into the company’s computer systems and released employee salaries, health data, racially tinged email banter and other sensitive information, according to the complaint filed Monday in Los Angeles federal court.
“Sony made a ‘business decision to accept the risk’ of losses associated with being hacked,” according to the former workers, who are seeking to sue on behalf of about 15,000 current and former Sony employees whose data was compromised.
Representatives of Culver City, California-based Sony Pictures didn’t immediately respond to phone and email messages seeking comment on the lawsuits.
In the case filed Tuesday in state court in Los Angeles, the two former employees allege that Sony executives were aware of the risk of “The Interview” as early as May and that the studio created an unreasonable risk for its employees by going ahead with the release.
“Sony knew it was reasonably foreseeable that producing a script about North Korea’s leader Kim Jong Un would cause a backlash,” according to their lawsuit.
Sony Corp. was warned about a year ago that hackers had infiltrated its network and were stealing gigabytes of data several times a week, underscoring a pattern of lapses predating the recent attack.
The hackers, who haven’t been identified, sifted in late 2013 through data from the company’s network, encrypted the information to cover their tracks and mined it on a regular schedule, said a person familiar with Sony’s investigation of the breach and who asked not to be named because the findings are confidential.
The two former employees who sued Monday, one a Virginia resident who worked at Sony from 2004 to 2007 and the other a California woman who worked at the company from 2000 to 2002, say they have had to buy identity theft protection and have spent as much as 50 hours safeguarding themselves against any possible harm from the stolen information.
They seek unspecified damages for negligence and violations of California and Virginia state laws.
In general, it’s hard for plaintiffs to prove harm from stolen personal data when they haven’t become actual victims of identity theft, said Jonathan Handel, who teaches entertainment law at the University of Southern California. If actual identity theft has occurred, the claims may not be suitable for a class action like this one, he said.
“It’s a different type of financial harm if I can’t close on buying a house because of identity theft than if I can’t buy a bunch of Tiffany jewelry,” Handel said in an interview.
Sony Pictures said in a Dec. 8 letter to its employees filed with the California Attorney General’s Office that the hackers may have stolen Social Security, driver’s license and passport numbers, as well as credit card, compensation and medical information, among other private data. The studio said in the letter that it’s offering all employees 12 months of identity protection services at no charge through a third-party provider.