A man walks past a Sony logo in front of an electronic shop in Tokyo May 3, 2011. Sony CEO Howard Stringer faced criticism of his leadership after the consumer electronics giant revealed hackers may have stolen the data of another 25 million accounts in a second massive security breach.KIM KYUNG-HOON/Reuters
The recent hacker attack at Sony Corp. and other corporate data breaches are attracting more class-action lawyers eager to score a payday, though huge monetary settlements may be elusive.
At least 25 lawsuits have been filed against Sony in U.S. federal courts over the theft of user data from the PlayStation game network, according to Westlaw, a Thomson Reuters Corp legal database.
The lawsuits accuse Sony of negligence and breach of contract for allowing the personal data of more than 100 million online video game users to be compromised and stolen.
The challenge for plaintiffs' lawyers in security breach cases is not proving liability on the part of companies, but establishing damages, according to attorneys involved in this kind of litigation.
Sony has been criticized for not telling customers quickly enough last month that their personal data was compromised. The consumer electronics company said it is possible that whoever broke into Sony's system made off with about 12.3 million credit card numbers.
"Had Sony properly secured its database through known and available encryption methods, even if a hacker were able to enter the network, he would be limited in his ability to inflict harm," one lawsuit says.
A Sony representative declined to comment. The company has apologized to its customers.
Judges are just beginning to address whether the disclosure of someone's personally identifiable information (PII) represents a loss of value, or if plaintiffs must show they suffered additional costs because of a hack.
Last month, a federal judge in Oakland, California, declined to dismiss a proposed class-action lawsuit over a 2009 data breach at RockYou, which develops applications for Facebook and other social networking sites. The plaintiffs claim they provided PII in exchange for products and services.
U.S. District Judge Phyllis Hamilton found that allegation sufficient to allow the lawsuit to move forward, but ruled that the case will fail if the plaintiffs cannot demonstrate tangible harm from the breach.
Still, with even more personal information spreading online via cloud computing, which allows users to store files on the Internet, some plaintiffs' attorneys think the dollar awards will get bigger.
"The breaches will become more spectacular in the future," said Ira Rothken, a San Francisco-based lawyer who handles privacy class actions.
Rothken filed a motion Monday to consolidate all the Sony lawsuits in the U.S. District Court for the Northern District of California. The FBI and attorney general in New York also are investigating the security breach.
Data breach cases also have attracted larger class-action law firms that are better known for bringing shareholder securities fraud litigation.
Milberg LLP, a veteran securities class-action law firm, is among those that have filed lawsuits over the Sony incident. The firm started to devote resources to online class actions "within the last year or so," partner Peter Seidman said.
San Diego-based Robbins Geller Rudman & Dowd LLP, the national class-action firm started by one-time Milberg defector William Lerach, also sued Sony. If the lawsuits were consolidated, a judge would decide which lawyers will represent the plaintiffs - and be in line to recoup most of the fees.
A boutique law firm representing the RockYou plaintiffs, Edelson McGuire in Chicago, is also representing plaintiffs in the Sony case. The firm, which has long litigated data breach and Internet privacy lawsuits, has grown from five to 20 attorneys over the last three years, partner Jay Edelson said.
There have been 190 reported data breaches this year, up from 142 in all of 2005, according to a tracking database maintained by the Open Security Foundation. In 2010, the number of reported breaches stood at 493, down from 624 the year before.
But Internet privacy-related lawsuits do not yield the nine-figure settlements that can be found in classic securities fraud cases, Edelson said.
Attorneys' fees in breach cases have historically topped out at $7-million to $8-million, he said. One of the largest early data breach cases, involving Internet advertising company Doubleclick, settled in 2002 and paid $1.8-million in legal fees.
Companies will often propose solutions like free credit monitoring as part if a settlement. Indeed, Sony has already offered its customers complimentary enrollment in an identity theft protection plan.
Karen Johnson-McKewan, a partner at Orrick, Herrington & Sutcliffe LLP who defends technology companies, said privacy cases could be more popular with plaintiff lawyers as the U.S. Supreme Court makes it more difficult to pursue other kinds of class actions.
"This looks like potentially rich vein in their view," she said.