Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Data breach suits grow, but damages hard to prove

Reprints

SAN FRANCISCO (Reuters)—The recent hacker attack at Sony Corp. and other corporate data breaches are attracting more class action lawyers eager to score a payday, though huge monetary settlements may be elusive.

At least 25 lawsuits have been filed against Sony in U.S. federal courts over the theft of user data from the PlayStation game network, according to Westlaw, a Thomson Reuters Corp. legal database.

The lawsuits accuse Sony of negligence and breach of contract for allowing the personal data of more than 100 million on-line video game users to be compromised and stolen.

The challenge for plaintiff lawyers in security breach cases is not proving liability on the part of companies, but establishing damages, according to attorneys involved in this kind of litigation.

Sony has been criticized for not telling customers quickly enough last month that their personal data was compromised. The consumer electronics company said it is possible that whoever broke into Sony's system made off with about 12.3 million credit card numbers.

“Had Sony properly secured its database through known and available encryption methods, even if a hacker were able to enter the network, he would be limited in his ability to inflict harm,” one lawsuit says.

A Sony representative declined to comment. The company has apologized to its customers.

Judges are just beginning to address whether the disclosure of someone's personally identifiable information represents a loss of value, or if plaintiffs must show they suffered additional costs because of a hack.

Recent rulings

Last month, a federal judge in Oakland, Calif., declined to dismiss a proposed class action lawsuit over a 2009 data breach at RockYou, which develops applications for Facebook and other social networking sites. The plaintiffs claim they provided personally identifiable information in exchange for products and services.

U.S. District Court Judge Phyllis Hamilton found that allegation sufficient to allow the lawsuit to move forward, but ruled that the case will fail if the plaintiffs cannot demonstrate tangible harm from the breach.

Still, with even more personal information spreading online via cloud computing, which allows users to store files on the Internet, some plaintiff attorneys think the dollar awards will get bigger.

“The breaches will become more spectacular in the future,” said Ira Rothken, a San Francisco-based lawyer who handles privacy class actions.

Mr. Rothken filed a motion on Monday to consolidate all the Sony lawsuits in U.S. District Court for the Northern District of California. The FBI and attorney general in New York also are investigating the security breach.

Large law firms involved

Data breach cases also have attracted larger class action law firms that are better known for bringing shareholder securities fraud litigation.

Milberg L.L.P., a veteran securities class action law firm, is among those that have filed lawsuits over the Sony incident. The firm started to devote resources to online class actions “within the last year or so,” said Peter Seidman, a partner in the firm.

San Diego-based Robbins Geller Rudman & Dowd L.L.P. also sued Sony. If the lawsuits were consolidated, a judge would decide which lawyers will represent the plaintiffs—and be in line to recoup most of the fees.

A boutique law firm representing the RockYou plaintiffs, Edelson McGuire L.L.C. in Chicago, is also representing plaintiffs in the Sony case. The firm, which has long litigated data breach and Internet privacy lawsuits, has grown from five to 20 attorneys over the past three years, said Jay Edelson, a partner in the firm.

There have been 190 reported data breaches this year, up from 142 in all of 2005, according to a tracking database maintained by the Open Security Foundation. In 2010, the number of reported breaches stood at 493, down from 624 the year before.

But Internet privacy-related lawsuits do not yield the nine-figure settlements that can be found in classic securities fraud cases, Mr. Edelson said.

Attorney fees in breach cases have historically topped out at $7 million to $8 million, he said. One of the largest early data breach cases, involving Internet advertising company DoubleClick, settled in 2002 and paid $1.8 million in legal fees.

Companies will often propose solutions such as free credit monitoring as part of a settlement. Indeed, Sony has already offered its customers enrollment in an identity theft protection plan.

Karen Johnson-McKewan, a partner at Orrick, Herrington & Sutcliffe L.L.P. who defends technology companies, said privacy cases could be more popular with plaintiff lawyers as the U.S. Supreme Court makes it more difficult to pursue other kinds of class actions.

“This looks like potentially rich vein in their view,” she said.