The Sony film “The Interview” was meant to take the studio laughing all the way to the top of the box office. But when an anonymous group calling itself Guardians of the Peace hacked into the Sony system and released floods of employee data on the internet, allegedly in protest of the film, the story was no longer a comedy matter. Nearly a year later, Sony has reached a settlement, to be approved by the U.S. District Court for the Central District of California, of $8 million to reimburse its employees for identity theft losses, credit-fraud protections services, and legal fees.
The settlement lists the cause of action as negligence, declaratory judgement, and alleged violations of the California Confidentiality Information Act and the California Unfair Competition Law. It therefore raises the question as to what the standard for negligence should be in cases of cyber attacks on large corporations. Having not heard the reasoning of the court, it is difficult to say whether Sony should have taken greater care due to the commercial value of the data, or simply that the burden of care should be higher due to the number of people involved. As the settlement says “This case raises common factual questions, including what efforts [Sony] took to protect Settlement Class Member’s personal information and whether those efforts were sufficient.” The questions have been identified, but with a settlement and not a court decision, questions still remain.
Settlement cases are often infuriating to us legal scholars because they may tell us what the case was about, but little about the legal reasoning of the outcome. The Sony settlement may be summed up as a case imposing corporate responsibility to use better encrypted security software; but it does not tell us if this responsibility falls under labour law, or if it is another step down the legal path of treating personal information as assets. Looking at the relevant case law cited, especially In Re Sony Gaming Networks where millions of users’ data were similarly stolen, is not particularly helpful as they concern the data of customers, not employees. In these scenarios, the legal question turned on whether or not data security was part of the purchase alongside the primary product.
The settlement recognises that the real victims of this cyber attack were the employees, and thus the $8 million price tag is compensation for the resulting economic and potential economic injury. But with caps of $10,000 for identity theft losses and $1,000 of credit-card protection per claimant, it is perhaps not surprising that Marc Rotenberg, the executive director of the Electronic Privacy Information Centre, told USAToday that “It is a surprisingly small fund, considering the extent of the breach.”
Statements by Sony indicate that this is a settlement the studio can well afford, but it is hard to gauge whether that is posturing for the shareholders or a true reflection of the agreement’s lack of financial bite. The settlement may, however, serve as a wake-up call for US corporations’ responsibility for increased care of employee’s data in a globalized world, where the next hacking attempt may only be a keystroke away.
Ann Kristin Glenster is a doctoral exchange student from the University of Cambridge