A Thing
The Green SheetGreen Sheet

Friday, April 29, 2011

First Sony data breach suit filed, FBI launches investigation

A nationwide class action suit against Sony Computer Entertainment America LLC (Sony EA) and Sony Network Entertainment International (Sony EI) was filed in federal court April 27, 2011, just days after Sony announced a massive data breach compromised the personal information and, possibly, credit card numbers of more than 77 million Sony PlayStation customers, but more than a week after Sony discovered the breach.

The complaint was filed in the Northern District of California on behalf of an Alabama resident, Kristopher Johns and "all other similarly situated." The suit was filed by the Rothken Law Firm in Novato, Calif., and Kershaw, Cutter & Ratinoff LLP in Sacramento. Both firms are experienced in technology litigation.

In 2010, Rothken settled a data breach class action suit against T-Mobile USA Inc. and Microsoft Corp. after the Sidekick smart phone system was hacked. Kershaw won a class action filed against AOL Inc. over its advance consent marketing.

FBI involvement

Informed sources in law enforcement confirm the FBI is investigating the Sony data breach. The FBI shares cyber crime jurisdiction with the United States Secret Service. Sony, sources said, chose to contact the FBI; that agency will lead the investigation.

The FBI normally does not comment on its investigations. However, there have been so many phone calls to the FBI office about the Sony breach, the agency has been forced to respond. San Diego FBI Special Agent Darrell Fox answered questions about the FBI's involvement with the following statement:

"The FBI is aware of the reports concerning the alleged intrusion into the Sony online game server and we have been in contact with Sony concerning this matter. We are presently reviewing the available information in an effort to determine the facts and circumstances concerning this alleged criminal activity. Anyone with information concerning this matter is asked to contact the FBI at 858-565-1255 or 1-877-EZ-2-TELL. Cyber tips should be sent to IC3.gov."

The lead attorney in the class action filed against Sony, Ira Rothken, asserted recently, "We have information that is a red flag that the folks who took the Sony data are offering 2.2 million credit cards with the [card verification values] and assorted personal information for sale on criminal venues, underworld bulletin boards."

Rothken said he has not visited any sites where the information is being offered.

Other investigations

Class action complaints are not the only front as Sony fights back from the aftermath of the data breach. Britain's Information Commissioner's Office is investigating the data breach.

In Washington, Rep. Mary Bono Mack, R-Calif., and a member of the House Subcommittee for Commerce, Manufacturing and Trade, instructed her staff to determine if an investigation is warranted. Rep. Bobby Rush, D-Ill., a member of the Energy and Commerce Committee and a member of the Communications and Technology Subcommittee, promised to reintroduce this year legislation requiring companies to meet security standards. Sen. Tom Carper, D-Del., a member of the Senate Finance Committee, is calling for a new cyber security bill this year.

Damages sought

According to industry analysts, one of the problems with a class action against Sony is that the company does not charge for access to the PlayStation game network, so damages can be difficult to assess.

The lead attorney in the Sony class action, Ira Rothken, said the free network is not an obstacle to damages because there are multiple ways to assess damages in a case like this, including the assessment of statutory damages under California data security laws. Rothken also noted there is real value lost to game players and consumers of music and videos who paid for a service they can't access. "There are a large number of ways to quantify the damages," Rothken assured.

"They'll be a lot of arguments over damages," Kershaw's John Parker conceded, "but it will go both ways. It's true the Sony network is free but it also has subscription services on it for features like multi-player games. Sony has a duty to protect personal information in their subscription services but credit card and personal identification information was disclosed anyway."

Parker added Sony "clearly" wasn't vigilant securing the data. Parker said he expects more class actions to be filed in other districts. Sony PlayStation customers in other countries who believe they have suffered damages with the Sony breach and network shutdown should contact a local attorney, Parker stated.

"I can only assume there is going to be a pile-on," Parker said when asked about the possibility of more complaints being filed. "What I expect is that several will be filed in different parts of the country. The suits will then likely go to the Judicial Panel for Multidistrict Litigation to determine where the case will be heard."

Parker said he doesn't know when to expect a hearing. "We'd like to get moving as quickly as possible," he said. "But we don't always get what we want."

"The impact of this theft is multiplied by Sony's failure to inform consumers of the data breach right away," Rothken said. "Once the hackers have the information, if the breach isn't reported right away and customers don't know to change passwords and cancel credit cards, the hackers can use the information to hack customers' other ecommerce sites doubling the damages resulting from Sony's actions."

Rothken said, based on his experience with other data breach litigation, that Sony probably was not Payment Card Industry (PCI) Data Security Standard (DSS) compliant. "I can't think of a major data breach where the company was PCI compliant," he said. "I think it is likely Sony was not PCI compliant. There were a lot of red flags that suggest Sony knew or should have known their system was vulnerable."

Sony has not returned requests for a response to the class action and Rothken's allegations that the stolen credit card and personal information is up for sale.

Rothken said he believes the Northern District of California is the correct venue for the complaint. He expects if similar complaints are filed in other federal venues around the country, they will eventually be consolidated in the Northern District of California.

Complaint particulars

The complaint claims the data breach "is one of the largest compromise[s] of Internet security and [has] the greatest potential for credit card fraud to ever occur in United States history."

It alleges Sony "has been aware for a substantial period of time that [PlayStation Network] was prone to catastrophic loss of data from a security breach." It also claims Sony "failed to warn its customers of the problem or tried to prevent them from suffering system suspension from security breaches and data losses" and that Sony "failed to effectively remedy the problems and defects inherent" in the network.

The complaint slaps Sony with allegations of breach of warranty, negligent data security, violations of consumers' rights of privacy, failure to protect consumers' rights to privacy and failure to inform consumers of the breach in a timely manner.

The suit also claims Sony failed to maintain adequate computer data security of customer personal and financial data. It states Sony's negligence includes, among other things, "[its] failure to maintain a proper firewall and computer security system, [its] failure to properly encrypt data, its unauthorized storage and retention of data, its violation of Payment Card Industry Data Standard … and its violation of California laws requiring the implementation and maintenance of security for customer information."

The suit additionally describes Sony's alleged failure to notify customers of the data breach in a timely manner. It claims that as a result of Sony's decision not to inform the public of the breach for more than a week after the breach was discovered, consumers were denied the ability to make an informed decision about how to address potential identity theft.

"This has caused, and continues to cause, millions of consumers fear, apprehension, and damages including extra time, effort, and costs for credit card monitoring, and extra time, effort, and costs associated with replacing cards and account numbers, and burden, and is harming both consumers' and merchants' ability to protect themselves from such fraud," the complaint states.

Because Sony's PlayStation Privacy Policy specifically says the company takes "reasonable measures to protect the confidentiality, security and integrity of the personal information collected," the attorneys believe the data breach puts Sony in violation of California's Song-Beverly Consumer Warranty Act, known as the state's "lemon law."

The complaint states consumers should be reimbursed for damages due to the disruption of the use of the Sony PlayStation gaming network service and loss data security.

The complaint also alleges Sony's "policies and practices are unlawful, unethical, oppressive, fraudulent and malicious. The gravity of the harm to all consumers and to the general public from [Sony's] policies and practices far outweighs any purported utility those policies and practices have."

The plaintiffs are asking for unspecified damages in excess of $5 million for the loss of use of the PlayStation consoles and network, along with the Sony on-demand video and music service Qriocity. They also ask for restitution, replacement or recall of defective PlayStation consoles and PlayStation Network service, litigation costs and attorneys' fees. end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing