The massive hack of Sony Pictures Entertainment Inc.’s computers has spurred two lawsuits by former employees accusing the movie company of failing to protect the personal information of thousands of workers.
Two ex-employees who sued yesterday called the breach “an epic nightmare, much better suited to a cinematic thriller than to real life.” Two others who sued today said Sony knew retribution for “The Interview,” a comedy depicting a mission to assassinate North Korean leader Kim Jong Un, was inevitable and created an unreasonable risk for them.
Sony knew it had inadequate measures in place to protect its data and suffered breaches twice before this year’s attack, in which hackers got into the company’s computer systems and released employee salaries, worker health data, racially tinged e-mail banter and other sensitive information, according to the complaint filed yesterday in Los Angeles federal court.
“Sony made a ‘business decision to accept the risk’ of losses associated with being hacked,” according to the ex-workers, who seek to sue on behalf of about 15,000 current and former employees whose data was compromised.
Representatives of Culver City, California-based Sony Pictures didn’t immediately respond to phone and e-mail messages seeking comment on the lawsuits.
In the case filed today in state court in Los Angeles, the two former employees allege that Sony executives were aware of the risk of “The Interview” as early as May and the studio created an unreasonable risk for its employees by going ahead with the release.
“Sony knew it was reasonably foreseeable that producing a script about North Korea’s leader Kim Jong Un would cause a backlash,” according to their lawsuit.
Sony Corp. was warned about a year ago that hackers had infiltrated its network and were stealing gigabytes of data several times a week, underscoring a pattern of lapses predating the recent attack.
The hackers, who haven’t been identified, sifted in late 2013 through data from the company’s network, encrypted the information to cover their tracks and mined it on a regular schedule, said a person familiar with Sony’s investigation of the breach, who asked not to be named because the findings are confidential.
The two former employees who sued yesterday, one a Virginia resident who worked at Sony from to 2004 to 2007 and the other a California woman who worked at Sony from 2000 to 2002, say they have had to buy identity-theft protection and have spent as much as 50 hours safeguarding themselves against any possible harm from the stolen information.
They seek unspecified damages for negligence and violations of California and Virginia state laws.
In general, it’s hard for plaintiffs to prove harm from stolen personal data when they haven’t become actual victims of identity theft, said Jonathan Handel, who teaches entertainment law at the University of Southern California. If actual identity theft has occurred, the claims may not be suitable for a class action like this one, he said.
“It’s a different type of financial harm if I can’t close on buying a house because of identity theft than if I can’t buy a bunch of Tiffany jewelry,” Handel said in a phone interview.
Sony Pictures said in a Dec. 8 letter to its employees, filed with the California Attorney General’s Office, that the hackers may have stolen Social Security, driver’s license and passport numbers, as well as credit-card, compensation and medical information, among other private data.
The studio said in the letter that it’s offering all employees 12 months of identity protection services at no charge through a third-party provider.
The cases are Corona v. Sony Pictures Entertainment Inc., 14-09600, U.S. District Court, Central District of California (Los Angeles) and Dukow v. Sony Pictures Entertainment Inc., BC566884, California Superior Court, Los Angeles County.