Could Sony Employees Sue After That Massive Hack?

Thanks to a devastating hack at Sony Pictures Entertainment last month, we know what James Franco earned for The Interview and we have a sneak peek at Will Gluck’s new movie Annie.

But more importantly, the attack dealt a serious blow to the privacy of thousands of Sony employees who saw their social security numbers, dates of birth, salaries and even medical records leaked online. The breach leaves them vulnerable to identity theft or extortion.

So, if you work at Sony Pictures and you’ve been hit by the hack, what do you do now? Sony employees may have a pretty good shot at suing the company under California law, perhaps to the tune of many millions of dollars, lawyers say. Sony Pictures Entertainment is based near Los Angeles, so California is the best state to host a suit.

The Golden State has some of the strictest employee information disclosure laws in the country, which would give workers wide latitude to get some kind of compensation from the company. California law is designed to protect residents from having their personal information disclosed by a company or other institution.

In Sony’s case, it’s not that Sony intentionally disclosed the data. Instead, the question is whether it did enough to protect it from being disclosed by others.

The fact that hundreds of employees’ medical information, including complaints about unpaid insurance claims and lists of costly medical procedures, makes Sony especially exposed to a lawsuit, lawyers said. California’s civil code says that “any individual may bring an action against any person or entity who has negligently released [their] confidential information” and win $1,000—and that’s without proving direct damage.

How could Sony defend itself from an employee suit? It would have to prove in court that it did a good job of protecting workers’ data — a point that’s been disputed over the last several days.

“[If] all possible safeguards had been put in place, I think that’s going to matter to enforcement agencies and to a court,” said Peter Rukin, a partner at Rukin, Hyland, Doria & Tindall LLP who specializes in employment litigation. Rukin added that Sony is vulnerable unless it “can show data [was] encrypted under best practices.”

Sony may have an uphill battle making that case. “Sony’s ‘information security’ team is a complete joke,” one former employee recently told Fusion. “We’d report security violations to them and our repeated reports were ignored.” Of the 11 people (out of 7,000 employees) responsible for Sony’s security, eight were managers.

Still, a cybersecurity firm contracted by Sony to help clean up the attack said on Monday that the hack was something for which “neither [Sony Pictures Entertainment] nor other companies could have been fully prepared.”

Whether that’s true could be decided in a courtroom. It already looks like some kind of lawsuit may be in the works — a cohort of former Sony employees are mulling a class action, Fox News reported based on unnamed sources, and many workers have been communicating with a major law firm. Rukin said a class action, it it happens, could be filed in a matter of weeks or even days. Sony hasn’t yet responded to a request for comment.

Correction: The original post misstated the name of Will Gluck’s new movie. It is Annie.