On January 21, 2014, the United States District Court for the Southern District of California announced a significant ruling for plaintiffs in data breach cases (Case No. 3:11-02258).  Although the Court dismissed 43 of the Plaintiffs’ 51 claims, the Court allowed certain claims based upon state consumer protection statutes to proceed.  Unlike the rulings in many other data breach cases, the Court found that Plaintiffs alleged a “credible threat” of impending harm as a result of the disclosure of their personal information.  The Court further held that, in order to establish standing, Plaintiffs were not required to allege that their personal information was actually accessed by a third party.  This decision may be a sign that Courts are becoming more willing to allow plaintiffs to overcome the standing hurdle — a hurdle that has precluded many data breach plaintiffs’ claims in the past.

The remaining state consumer protection statute claims are mainly based upon Sony’s alleged misrepresentations about “reasonable security” and “industry-standard encryption.”  The Court found that, “because Plaintiffs have alleged that Sony omitted material information regarding the security of Sony Online Services, and that this information should have been disclosed to consumers at the time consumers purchased their Consoles, the Court finds Plaintiffs have sufficiently alleged a loss of money or property ‘as a result’ of Sony’s alleged unfair business practices.”  In addition, Plaintiffs allege that Sony misrepresented that it would take “reasonable steps” to secure Plaintiffs’ personal information, and that Sony “use[d] industry-standard encryption to prevent unauthorized access to sensitive financial information.” Although Sony defends these allegations by stating that it did not promise any right to so-called “perfect security,” the Court found that whether or not Sony’s representations were deceptive, are questions of fact that cannot be decided on a motion to dismiss.

  •  What should companies learn from this decision?  When making any representation regarding data security including, but not limited to, how a company protects sensitive consumer information, companies must proceed with caution.  These representations must be complete, accurate and made in a non-misleading manner.  Companies should review and update their data security representations on a regular basis.