By now, everyone has heard or read or about the unfortunate cyberhack involving the movie “The Interview.” Starring one of Hollywood's favorite comedic duos, James Franco and Seth Rogen, the movie turned out to be anything but a laughing matter. Weeks before the movie was set to be released, Sony Pictures, the company releasing it, was victimized by a massive cyberhack. Although cyberbreaches are not new, what is different about this case is that information about former and current employees was targeted in the hack. Names, addresses, Social Security numbers, employment records, including compensation records, human resources records, medical information and financial information for former and current Sony employees were allegedly made public. Investigations quickly revealed that North Korean hackers were behind the leak and it was a vengeful cyberattack. Past and present employees victimized by the attack quickly filed class actions against the studio alleging various claims, including negligence, violations of California's data security laws, and constitutional invasion of privacy, among others.

Data breach class actions are nothing new and, sadly, due to their proliferation, their ability to catch the attention of anyone following the news may be waning. But what is unique about this case is that the plaintiff class is made up of employees. Target, Home Depot and other retailers have been subjected to high-profile class action litigation resulting from data breaches; however, in those cases consumer information was compromised. Sony faces litigation resulting from the theft of employee information. The differences are notable and present a slew of issues for employers to consider.

Difficult Nature of Data Breach Class Actions

Despite the obvious potential for harm resulting from a data breach and the publication or release of an individual's personally identifiable information, data breach actions face difficult hurdles that often trip up plaintiffs. A plaintiff must have suffered an injury in fact to have standing; that injury must be “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” as in Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). There is a strong argument to be made that a plaintiff has not suffered injury in fact by the increased risk of identity theft alone. If identity was “stolen” but has not been used by anyone else, can you still bring a lawsuit? A plaintiff who can prove that his information was, in fact, misused by a hacker has a much stronger argument that he has standing to bring a claim than a plaintiff who can allege only an increased risk of identity theft.

The highly publicized cases against companies in the aftermath of a breach or cyberattack are the large class actions. Often, a company faces numerous class actions resulting from each incident. These data breach class actions have additional hardships to face beyond the foundational requirement that the named plaintiff has standing. For a class to be certified, the plaintiffs must be able to show proof on a classwide basis that ties the specific occurrences of identity theft to the data breach subject of the class claim, in addition to other statutory requirements set forth in Rule 23.

The Potential Impact of 'Spokeo'

Upcoming activity in the U.S. Supreme Court will likely have a big impact on data breach actions—specifically, on the issue of standing and whether a person whose personally identifiable information or other personal, private information was compromised in a cyberattack can bring suit against the hacked company. Less than a month ago, the Supreme Court granted certiorari in Spokeo v. Robins, 742 F.3d 409 (9th Cir. 2014). The court will confront the issue of whether Congress may confer standing on a plaintiff who has not suffered a concrete injury, but rather by permitting a private right of action based on the violation of a federal statute.