a 10 i 12 13 14 15 16 7 18 19 20 ai 2 23 4 25 26 a 28 Douglas L. Johnson Bar No. 209216) Neville L. Johnson (Bar No. 66329) Brian T. Shippen-Murray (Bar No. 288188) CONFORMED Cory JOHNSON & JOHNSON LLP See, 439 North Canon Drive, Suite 200 Beverly Hills, California 90210 DEC 16 2014 Telephone: 310.975.1080 Shor as Facsimile: 310.975.1095 yet Caney et Email: djohnson@jjllplaw.com Email: njohnson@jjliplaw.com Email: bmurray@jjllplaw.com Attorneys for Plaintiffs and Plaintiff Class SUPERIOR COURT FOR THE STATE OF CALIFORNIA. COUNTY OF LOS ANGELES Case No Bo 566884 CLASS ACTION SUSAN DUKOW and YVONNE YACONELLL, on behalf of themselves and all others similarly situated, Plaintiffs, COMPLAINT FOR VIOLATIONS OF: 1. THE CALIFORNIA DATA BREACH ACT [CAL. Crv, Coe § 1798.80, et seq.] 2. CONSTITUTIONAL INVASION OF vs. SONY PICTURES ENTERTAINMENT, PRIVACY [CAL. Const. ArT. 1, SEC. 1] INC., and DOES 1-100, 3, THE CALIFORNIA Defendants. CONFIDENTIALITY OF MEDICAL INFORMATION ACT [CAL. Cv. Cope | §56, etseq.] | 4, NEGLIGENCE CSR TRIAL DEMANDED I. INTRODUCTION Susan Dukow and Yvonne Yaconelli (“Plaintiffs”) initiate this action against Sony Pictures Entertainment, Inc. (“Sony” or “Defendant”), on behalf of themselves, all others similarly situated, and allege upon information and belief as follows: CLASS ACTION COMPLAINT COPYCor anewn 10 u 12 3 14 15 16 7 18 19 20 21 22 23 24 25 26 27 28 Il, SUMMARY OF THE CASE 1. Plaintiffs initiate this action against Sony on their own behalf, and on behalf of all persons similarly situated, to seek redress for Sony’s failure to implement and maintain reasonable security policies and procedures appropriate to protect its current and former employees’ and associates’ personal information, for failing to adequately protect its current and former employees’ and associates’ privacy rights and for negligent data security, 2. In November 2014, as a result of Sony’s inadequate data security, unauthorized individuals accessed and publicized the names, addresses, social security numbers, medical history, employment records, human resources records and financial information of more than 47,000 current and former Sony employees and associates (“the Breach”). The exposure resulting from the Breach was unprecedented. The damages sustained by Sony’s current and former employees and associates (“Class Members”) is staggering and cognizable, 3. The Breach arose in connection with the forthcoming release of Sony's controversial new North Korean-themed comedy, The Interview. The Interview is a fictionalized account of a bumbling American talk show host (James Franco) and his producer (Seth Rogen) attempting to kill North Korean leader Kim Jong Un. Sony knew the risks and repercussions associated with releasing the film. Sony received multiple warnings that retribution for releasing the film was inevitable. Sony moved forward with the film, knowing that by doing so, it created an unreasonable risk for Plaintiffs and Class Members. 4. In the days preceding the Breach, Sony knew or should have known Plaintifis” and Class Members’ highly sensitive private information (“Personally Identifiable Information” or “PII”) was at increased risk of exposure and publication. In recent years, on multiple occasions unauthorized individuals successfully accessed Sony’s computer systems. Recent evidence suggests that, on at least one occasion, Sony failed to provide notification to affected individuals where it was not required by law. On multiple occasions Sony was warned its information security programs were inadequate to protect the PII they had a duty to secure, Sony was aware its security devices were deficient and vulnerable. Sony knew Plaintiffs’ and Class Members’ PII were at risk of exposure and knew its information security programs were -3- CLASS ACTION COMPLAINTSewer s,uvewn u rey 4 15 16 7 18 19 20 21 22 23 24 25 26 27 28 unable to offer adequate protection, yet Sony failed take adequate measures to mitigate the risks to Plaintiffs and Class Members or to remedy their information security shortcomings. 5. Plaintiff's and Class Members had a protected privacy interest in the PII they provided to Sony. The PII Plaintiffs and Class Members provided to Sony was for the limited purpose of applying for and maintaining employment with Sony. Plaintiffs and Class Members had a reasonable expectation that Sony would protect their privacy interests. Sony’s actions and inactions as alleged herein amounted to a serious invasion of Plaintiffs’ and Class Members’ protected privacy rights and directly resulted in damages to Plaintifis and Class Members. 6. Sony owed a duty to Plaintiffs and Class Members to take reasonable measures to assure their PIT was adequately protected. Sony knew or should have known that exposure and publication of Plaintiffs’ and Class Members’ PII would result in devastating damages. Sony breached its duty to Plaintiffs and Class Members by creating an undue risk that Plaintiffs’ and Class Members” PIT would be exposed by failing to take appropriate action to mitigate the risks it created, by failing to maintain adequate information security systems, by failing to implement effective policies and procedures regarding information security, by failing to follow the policies and procedures it had regarding information security, and by failing to prevent the exposure and publication of Plaintiffs’ and Class Members’ PII. Sony's conduct was reckless, grossly negligent or at a minimum negligent. As a proximate result of Sony’s breach of duty, Plaintiffs’ and Class Members’ highly sensitive PII was compromised, their privacy was invaded, they were deprived of the exclusive use and control of their private information, they have incurred out-of-pocket costs and spent considerable time, and they will continue to suffered economic damages and spend considerable in order to consistently monitor and protect their private information from imminent misuse. 7. The publication of Plaintiffs’ and Class Members PII was vast and widespread. The injury sustained by Plaintiffs and Class Members is irreversible. The repercussions of Sony’s failure to implement and maintain reasonable security practices and procedures will likely damage Plaintiffs and Class Members for the rest of their lives. eae CLASS ACTION COMPLAINTI. JURISDICTION AND VENUE 8. This Court has jurisdiction over this action because this is a civil action where the amount in controversy, exclusive of interests and costs, exceeds the jurisdictional minimum of this Court. The acts and omissions complained of in this action occurred in whole or in most part in the State of California, 9. Venue is proper because the acts and omissions giving rise to this action occurred in Los Angeles County, California. Sony transacts business and is headquartered within this Judicial District. IV. PARTIES 10, Plaintiff Susan Dukow (“Dukow”) is a citizen of the State of California and currently resides in Los Angeles County. Dukow is a former Sony employee. Dukow served in various production roles for Sony including, but not limited to, production coordinator on Last Action Hero (1993), Jerry Maguire (1996), Spider-Man (2001), Charlie’s Angels I (2002) and Spider-Man II (2004). Dukow’s PII was exposed and published in connection with the Breach. 11. Plaintiff Yvonne Yaconelli is a citizen of the State of California and currently resides in Ventura County. Yaconelli is a former Sony employee. Yaconelli served in various production roles for Sony including, but not limited to, production manager on Spider-Man II (2004), Riding in Cars With Boys (2001), Guess Who (2005), Catch and Release (2006), How Do You Know (2010), The Green Hornet (2011) and The Smurfs 3D (2011). Yaconelli’s PII ‘was exposed and published in connection with the Breach, 12, Defendant Sony Pictures Entertainment, Inc. (“Sony”) is a subsidiary of Sony Corporation. Sony is a corporation organized under the laws of the State of Delaware with its principal place of business and corporate headquarters in Culver City, California, 13, Defendant DOES 1 through 100 are sued herein by fictitious names for the reason that their true names are unknown to Plaintiffs. Plaintiffs will seek leave to amend this complaint to allege the true names and capacities of these Defendants when the same have been ~4= CLASS ACTION COMPLAINTascertained. Plaintiffs are informed and believe and based thereon allege that these fictitiously named Defendants are responsible in some manner for the actions and damages alleged herein, 14. Plaintiffs are informed and believe and based thereon allege that at all times herein relevant, each of the Defendants was the alter ego, agent, servant, representative and employee of the remaining Defendants, and in doing the things hereinafter alleged, each was acting within the course and scope of said agency and employment and with the ratification and authorization of their respective principals. V. _ COMMON ALLEGATIONS A. Plaintiffs and Class Members Have a Legally Protected Privacy Interest in Their Pu. 15. Sony maintains the PII of its current and former employees and associates in digital format on various computers and servers within the possession, custody and control of Sony. 16. The PII Sony maintain includes, but is not limited to, the names, addresses, social security numbers, medical history, human resources records, employment records, financial information and correspondence relating thereto of their current and former employees and associates. 17. At the time of the Breach, Sony was in possession, custody and control of Plaintiffs’ and Class Members’ PII. 18. Sony came into possession of Plaintiffs’ and Class Members’ PII for the limited purpose of applying for and maintaining employment with Sony. Plaintiffs and Class Members had a reasonable expectation Sony would use their PII solely for the limited purpose of applying for and maintaining employment with Sony. 19. Plaintiffs and Class Members have a property interest in their PII controlled by Sony. 20. Plaintifis and Class Members have a legally protected privacy interest in their PII controlled by Sony. Te CLASS ACTION COMPLAINT21. Plaintiffs and Class Members had a reasonable expectation that Sony would protect the privacy interest Plaintiffs and Class Members had in their PII. 22. Sony had a duty to take reasonable actions to protect Plaintiffs’ and Class Members’ PII. B. The Breach 23. In or about November 2014, unidentified and unauthorized individuals breached Sony's computer system. These individuals gained accessed to the highly sensitive PII of approximately 47,000 current and former Sony employees and associates, including the PII of Plaintiffs and Class Members. The unidentified individuals obtained access to approximately 100 terabytes of data from Sony’s servers. 24, The Breach became apparent on or about November 24, 2014, when Sony employees logged onto their computers and were greeted with an image of a skeleton accompanied by the text “Hacked by #GOP.” The Breach became public later that day when news outlets began to report Sony had been hacked. 25. Subsequent to the Breach, tens of terabytes worth of data was released on the Internet. 26. — Onor about Thursday, November 27, 2014, five Sony films, including four that had yet to be released, were shared online. 27. Onor about December 1, 2014, the pre-bonus salaries of the top seventeen Sony executives were leaked along with files containing the salaries of more than 6,000 current and former Sony employees and associates. 28. On or about Wednesday, December 3, 2014, files showing the passports and visas of cast and crew members were released along with film budgets, confidential contracts, and the user names and passwords of Sony executives were also released. 29. Onor about Friday, December 12, 2014, various news outlets reported that the exposed documents included medical records of dozens of Sony employees and associates. According to news sources, a human resources spreadsheet was exposed that included the birth dates, health conditions and medical costs incurred by 34 employees, their spouses and their Te CLASS ACTION COMPLAINTCm Iraneon 10 u 12 13 14 15 16 7 18 19 20 2 22 23 24 25 26 27 28 children, 30. Subsequent to the Breach, Plaintiffs’ and Class Members’ PII was released on the Internet. 31. Subsequent to the Breach, the public was able to access the PII of current and former Sony employees and associates, including that of Plaintiffs and Class Members. In the days following the Breach, thousands of people accessed the PII of Sony’s current and former employees and associates. 32. On Thursday, December 4, 2014, The Associated Press reported that cyber security experts found “striking similarities between the code used in the hack of Sony Pictures Entertainment and the attacks blamed on North Korea which targeted South Korean companies and government agencies last year.” C. Sony Put Plaintiffs and Class Members at Increased Risk. 33. Prior to the Breach, Sony knew or should have known there was an unreasonable risk Plaintiffs’ and Class Members’ PII would be exposed. 34. Upon information and belief, as early as May 2014, Sony executives expressed apprehension about releasing The Interview. Sony executives articulated concerns about depicting the assassination of a living political leader on film. 35. Various news reports suggest the original script of The Interview included a fake villain, but that Sony specifically changed the script to make North Korea’s leader Kim Jong Un the film’s villain, Upon information and belief, Sony knew it was reasonably foreseeable that producing a script about North Korea’s leader Kim Jong Un would cause a backlash, Upon information and belief, Sony executives were excited about the possibilities of producing a film with a real-world villain. 36. Upon information and belief, Sony was wamed there was a real and imminent risk of a backlash if they released The Interview. 37. In June 2014, the head of the Center for Korean-American Peace publically titicized The Interview to the media. Later that month, North Korea’s U.N. ambassador, Ja aa CLASS ACTION COMPLAINTCaran eon 10 Ml 12 1B 14 15 16 7 18 19 20 21 22 23 24 25 26 27 28 Song Nam, said The Interview was tantamount to “an act of war” and threatened “a decisive and merciless counter measure.” 38. Sony’s actions and inactions related to the forthcoming release of The Interview created an unreasonable risk that Plaintiffs’ and Class Members’ PII would be exposed. D. Sony Knew Its Data Security and Data Management Policies and Procedures Were Insufficient. 39. Upon information and belief, Sony’s data security was insufficient to protect the types of information they were required to protect, including, Plaintiffs’ and Class Members’ PIL. Upon information and belief, Sony knew their data security was insufficient to protect the types of information they were required to protect, including Plaintiffs’ and Class Members’ Pu. 40. Upon information and belief, Sony’s data management policies and procedures were insufficient to protect the types of information they were required to protect, including Plaintiffs’ and Class Members’ PII. Upon information and belief, Sony knew its data ‘management policies and procedures were insufficient to protect the types of information they were required to protect, including Plaintiffs’ and Class Members’ PII. 41. Upon information and belief, Sony failed to adequately enforce the data management policies and procedures it had in place at the time of the Breach, 42. Upon information and belief, Sony was warned multiple times its data security and their data management policies and procedures were inadequate. 43. Upon information and belief, a 2013 report found that many of Sony’s critical security devices were not being properly monitored and were vulnerable to a breach. The report found Sony had no process in place to prevent its security problems from getting worse. 44, Upon information and belief, prior to the Breach, Sony was aware of reports that it was vulnerable to a security threat and that it could do more to reduce specific attacks. 45. Upon information and belief, at the time of the Breach, Sony stored thousands of passwords in a file named “password.” CLASS ACTION COMPLAINTCer Aner on 10 ul 12 13 14 15 16 7 18 19 20 2 23 24 25 26 27 28 46. Upon information and belief, at the time of the Breach, Sony maintained unprotected documents listing the usernames and passwords of hundreds of social media and web service accounts as well as passwords for its internal computers. 47. Upon information and belief, at the time of the Breach, Sony failed to effectively encrypt sensitive information. 48. Upon information and belief, upon learning its data security and its data ‘management policies and procedures were insufficient to adequately protect the types of information they were required to protect, Sony failed to take reasonable measures to cure its security problems 49. Sony unreasonably delayed informing Plaintiffs and Class Members about the Breach of their confidential and non-public information after Sony had knowledge the Breach occurred. 50. Sony failed to disclose to Plaintiffs and Class Members without unreasonable delay and in the most expedient time possible, the breach of security of their unencrypted, or not properly securely encrypted, PII when it knew or reasonably believed such information had been compromised. 51. Inthe usual course of business, employers, including Sony, possess and retain certain medical records and information belonging to its current and former employees, including that of Plaintiff and Class Members. 52. During their employment with Sony, Plaintifis and Class Members lived in California. 53. Atall relevant times, Sony had a legal duty to protect the confidentiality of Plaintiffs’ and Class Members’ medical information. 54. Sony violated the Medical Information Act and its legal duty to protect the confidentiality of such information by failing to ensure adequate security systems were in place to prevent access and disclosure of Plaintiffs’ and Class members’ private medical information without written authorization. Me oon CLASS ACTION COMPLAINTSecmrxaaueeon uW 13 14 15 16 17 18 19 20 21 2 23 24 25 26 27 28 E. Sony Was Subject to Data Breaches In The Past. 55. Onmultiple occasions in recent years, unauthorized individuals have been able to successfully access private information maintained by Sony. In April 2011, Sony’s PlayStation Network (“PSN”) was hacked. The hackers accessed account names, birth dates, email addresses, and private financial information belonging to 77 million PSN users. PSN was offline for several weeks. Last year, the United Kingdom’s Information Commissioner's Office fined Sony £250,000 ($425,397) for the “serious break of the Data Protection Act due to the account information leak, and said it “could have been prevented.” 56. In 2011, sonypictures.com was breached, exposing the PII of approximately 37,000 individuals. 57. In August 2014, a group calling itself the Lizard Squad crashed the PSN with a “denial of service” attack. 58. In February 2014, unidentified individuals breached Sony’s computer systems and accessed Brazilian corporate files. Recently exposed documents suggest Sony decided not to notify individuals or go public about that attack. F. Sony Acted Recklessly. 59. Sony’s actions and inactions as alleged herein amounted to reckless conduct under the law. 60. Sony’s actions and inactions as alleged herein amounted to gross negligence, or at a minimum negligence under the law. 61. Sony's actions and inactions as alleged herein amounted to a serious invasion of Plaintiffs’ and Class Members’ protected privacy rights. 62. Sony's actions and inactions as alleged herein amounted to a breach of Sony's [duty to protect Plaintiffs’ and Class Members’ PIL 63. Because of Sony’s actions and inactions as alleged herein unauthorized individuals were able to gain access Plaintiffs’ and Class Members’ PIL 64, Sony’s actions and inactions as alleged herein resulted in the exposure and publication of Plaintiffs’ and Class Members’ PII. 70> CLASS ACTION COMPLAINTCor anneen 10 ul 12 B 14 15 16 7 18 19 20 21 23 24 25 26 27 28 65. Sony's actions and inactions as alleged herein increased Plaintiffs’ and Class ‘Members’ risk of becoming victims of identity theft crimes. 66. The Breach would not have happened or the scope of the Breach would not have been as great, but for Sony’s actions and inactions as alleged herein. 67. Employers such as Sony are obligated to act with care, skill, prudence, and diligence under the circumstances then prevailing that a prudent company acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character with like aims, 68. Upon information and belief, Sony failed to take reasonable precautions to secure Plaintiffs’ and Class Members’ PII and failed to protect Plaintiffs and Class Members from invasion of privacy, fraud, identity theft, embarrassment and associated expenses. 69. Sony's actions and inactions as alleged herein caused Plaintiffs and Class ‘Members damages. Plaintifis and Class Members have spent or will need to spend considerable time and money protecting themselves as a direct result of Sony’s actions and inactions as alleged herein. 70. — Due to the fact Plaintiffs and Class Members have had their social security numbers stolen as a result of Sony’s actions and inactions as alleged herein, Plaintiff’ and Class ‘Members will have to consistently monitor their credit card accounts, credit reports and other private information. Social security numbers are virtually impossible to change, so Plaintiffs and Class Members will be at risk of identity theft for the rest of their lives. 71. Asaresult of Sony’s actions and inactions as alleged herein, Plaintiff’ and Class ‘Members seek damages, restitution, declaratory relief, injunctive relief, and any other such relief as the Court may award. Ml mM ut Mt uw elle CLASS ACTION COMPLAINTVIL CLASS ALLEGATIONS 72. Plaintiff's bring this class action pursuant to Cal. Civ. Proc. § 382, on behalf of themselves and all other similarly situated persons as members of a Class initially defined as. follows: All current and former individuals working for or associated with Sony whose personally identifiable information was compromised as a result of the data breach announced by Sony in or about November 2014. 73. The following persons and entities shall be excluded from the Class: (a) all persons who make a timely election to be excluded from the proposed Class; (b) governmental entities; and (c) the judge(s) to whom this case is assigned and any immediate family members thereof. 74, Plaintiffs reserve the right to redefine the Class prior to certification. 75. This action is properly maintainable as a class action. 76. — Numerosity: The Class for whose benefit this action is brought is so numerous that joinder of all Class members is impracticable. While Plaintiffs do not presently know the exact number of Class members, Plaintiffs are informed and believe that there are thousands of Class members, and that those Class members can only be determined and identified through Sony’s records and, if necessary, other appropriate discovery. 77. Common Questions of Law and Fact: There are questions of law and fact which ‘are common to Class members and which predominate over any questions affecting only individual members of the Class. A class action will generate common answers to the below questions, which are apt to drive the resolution of the litigation: a. Whether Sony implemented and maintained reasonable and appropriate security systems and security practices and procedures necessary to protect the personal information of Plaintiffs and Class Members from unauthorized access, destruction, use, modification, or disclosure; b. Whether Sony’s failure to implement and maintain reasonable and appropriate Tae CLASS ACTION COMPLAINTCaran eon 10 ML 12 1B 14 15 16 7 18 19 20 2 22 23 24 25 26 27 28 78. security systems and security practices and procedures put Plaintifiés and Class Members at a greater risk their PII would be exposed and/or publicized; Whether Plaintiffs and Class Members suffered damages as a result of Sony’s failure to implement and maintain reasonable and appropriate security systems and security practices and procedures; Whether Plaintiffs and Class Members had a legally protected privacy interest in their PII that Sony maintained; Whether Plaintiffs and Class Members had a reasonable expectation of privacy under the circumstances at issue; ‘Whether Sony’s actions and inactions amounted to a serious invasion of Plaintiffs’ and Class Members’ protected privacy interests; Whether Sony owed a legal duty to Plaintiffs and Class Members to protect their PII and whether Sony breached that duty; Whether Sony’s was reckless, grossly negligent and/or negligent in failing to protect Plaintiffs’ and Class Members’ PIT; Whether Plaintiffs and Class Members suffered damages as result of Sony’s failure to protect Plaintiffs’ and Class Members’ Pll; Whether Plaintiffs and Class Members have an increased risk of identity theft as result of Sony’s failure to protect Plaintiffs’ and Class Members’ PII; Whether Plaintiffs and Class Members are entitled to the relief sought, including injunctive relief. Adequacy: Plaintiffs will fairly and adequately protect the interests of the Class Members and have retained counsel competent and experienced in class action lawsuits. Plaintiffs have no interests antagonistic to or in conflict with those of Class Members and therefore are adequate representatives for Class Members. 79. Superiority: A class action is superior to other available methods for the fair and efficient adjudication of this controversy because the joinder of all Class Members is impractical. Furthermore, the adjudication of this controversy through a class action will avoid = CLASS ACTION COMPLAINTthe possibility of an inconsistent and potentially conflicting adjudication of the claims asserted herein. There will be no difficulty in the management of this action as a class action. 80. Notice: Plaintiff's will provide the individual notice and/or notice by publication to the Class to the extent required by law, due process considerations and as approved by this, Court, VII. FIRST CAUSE OF ACTION (Violations of the California Data Breach Act, CAL. Civ. CODE § 1798.80 ef seq.) (On Behalf of Plaintiffs and Class Members) 81. Plaintiffs repeat and re-allege the allegations contained in each of the paragraphs of this Complaint as if fully set forth herein. 82. Plaintiffs bring this cause of action on behalf of all current and former Sony employees and associates whose PII was compromised as a result of the data breach in November 2014, 83. CAL. Civ, Cope § 1798.1 states that: The Legislature declares that the right to privacy is a personal and fundamental right protected by Section 1 of Article I of the Constitution of California and by the United States Constitution and that all individuals, have a right of privacy in information pertaining to them. The Legislature further makes the following findings: (a) The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies. (b) The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information, (© Inorder to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits. 84. CAL. Civ, Cope § 1798.81.5(b) requires that any “business that owns or licenses personal information about a California resident shall implement and maintain reasonable Tia CLASS ACTION COMPLAINTCe ranean 10 u 12 13 14 15 16 7 18 19 20 21 22 23 24 25 26 27 28 security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, 85. CaL. Civ. Cope § 1798.82 provides, in pertinent part, as follows: (b) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. see (@ Any person or business that is required to issue a security breach notification pursuant to this section shall meet all of the following requirements: (1) The security breach notification shall be written in plain language. (2) The security breach notification shall include, at a minimum, the following information: (A) The name and contact information of the reporting person or business subject to this section, (B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach. (©) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice, (D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided. (E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided. (F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver's license or California identification card number. Tis CLASS ACTION COMPLAINTCaran eun 10 Ml 12 13 14 15 16 17 18 19 20 2 22 23 24 25 26 27 28 (8) Any person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code. (g) For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure. 86. Sony is a “business” as defined by CaL. Civ. CopE § 1798.80(a). 87. Sony owned or licensed the personal information of Plaintiffs and Class Members. 88. The unauthorized acquisition of Plaintiffs’ and Class Members’ PII constituted a “breach of security” of Sony. 89. Sony unreasonably delayed informing Plaintiffs and Class Members about the Breach of their confidential and non-public information after Sony had knowledge the Breach occurred. 90. Sony failed to disclose to Plaintiffs and Class Members without unreasonable delay and in the most expedient time possible the breach of security of their unencrypted, or not properly securely encrypted, PII when it knew or reasonably believed such information had been compromised. 91. Upon information and belief, no law enforcement agency instructed Sony that notification of Plaintiffs or Class Members would impede investigation, 92. The nature of the personal information of Plaintiffs and Class Members that Sony maintained was highly sensitive. The highly sensitive nature of the personal information S16: CLASS ACTION COMPLAINTCor anuneon 10 i 12 13 14 15 16 17 18 19 20 21 ae 23 24 Pee 26 27 28 Sony maintained required Sony to act with heightened care to assure that information was protected, 93. Sony failed to implement and/or maintain reasonable security systems and security practices and procedures appropriate in relation to the highly sensitive nature of the personal information it maintained. 94. Sony's failure to implement and/or maintain reasonable security systems and security practices and procedures appropriate in relation to the highly sensitive nature of the personal information it maintained resulted in the unauthorized access, use, and disclosure of Plaintiffs and Class Members’ PII. 95. Pursuant to CAL. Civ. Cope § 1798,84(a), “[any waiver of a provision of this title is contrary to public policy and is void and unenforceable.” CAL. Civ. CODE § 1798.84(e) farther states that “[a]ny business that violates, proposes to violate, or has violated this title may be enjoined.” 96. Asaresult of Sony’s violations of CaL. Civ. Cope §§ 1798.82 and 1798.81.5(b), Plaintiffs and Class Members incurred damages including increased risk of identity theft, loss of use of PI, public embarrassment and costs of credit monitoring and identity theft protection, 97. Plaintiffs, individually and on behalf of Class Members, seek all remedies available at law, including damages and injunctive relief as provided under Cat.. Civ. CODE § 1798.84(¢). Injunctive relief shall include, but is not limited to, providing credit monitoring and other security measures necessary to safeguard Plaintiffs’ and Class Members’ PII from misuse. VII. SECOND CAUSE OF ACTION (Constitutional Invasion of Privacy, CAL. CONST. ART. L, SEC. 1) (On Behalf of Plaintiffs and Class Members) 98. Plaintiffs repeat and re-allege the allegations contained in each of the paragraphs of this Complaint as if fully set forth herein. TW CLASS ACTION COMPLAINTSeowmrxr an ewn iW 12 13 14 15 16 7 18 19 20 21 22 23 24 25 26 27 28 99. Plaintiffs bring this cause of action on behalf of all current and former Sony employees and associates whose PII was compromised as a result of the data breach in November 2014, 100. CAL. Consr., ART. 1., SEC, 1 provides that “{a]ll people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” 101. Plaintiffs and Class Members had a legally protected privacy interest in the PIL provided to Sony. 102. Plaintiffs and Class Members had a reasonable expectation of privacy as to the PII they provided Sony under the circumstances. 103. Sony’s actions and inactions amounted to a serious invasion of Plaintiffs” and Class Members’ protected privacy interests. 104, Sony’s invasion of Plaintiffs’ and Class Members’ reasonable expectation of privacy caused Plaintiffs and Class Members to suffer damages. 105. By reason of the foregoing, Plaintiffs, individually and on behalf of Class Members, seek all remedies available at law, including injunctive relief in an amount to be determined at trial, IX. THIRD CAUSE OF ACTION (Violation of California Confidentiality of Medical Information Act, CAL. Cv. Cone § 56, et seq.) (On Behalf of Plaintiffs and Class Members) 106. Plaintiffs repeat and re-allege the allegations contained in each of the paragraphs of this Complaint as if fully set forth herein. 107. Plaintiffs bring this cause of action on behalf of all current and former Sony employees and associates whose PII was compromised as a result of the data breach in November 2014. TTB CLASS ACTION COMPLAINT108. The California Confidentiality of Medical Information Act, CAL. Civ. CODE § 56, et seq. (“Medical Information Act”) requires employers who receive medical information to establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information, These procedures may include, but are not limited to, instruction regarding confidentiality of employees and agents handling files containing medical information and security systems restricting access to files containing medical information. 109. Furthermore, the Medical Information Act prohibits employers from disclosing medical information regarding a patient without first obtaining written authorization from the patient. 110. Inthe usual course of business, employers, including Sony, possess and retain certain medication records and information belonging to its current and former employees, including certain of Plaintiffs’ and Class Members’ medical information. 111. During their employment with Sony, Plaintiffs and Class Members lived in California, 112. Atall relevant times, Sony had a legal duty to protect the confidentiality of Plaintiffs’ and Class Members’ medical information. 113. Sony violated the Medical Information Act and its legal duty to protect the confidentiality of such information by failing to ensure adequate security systems were in place to prevent access and disclosure of Plaintiffs’ and Class members’ private medical information without written authorization 114, Pursuant to CAL. Civ. Cope §56.36, those Plaintiffs and Class Members whose ‘medical information was compromised are entitled to nominal statutory damages of $1,000.00 per class member as well as any actual damages sustained by those Plaintiffs and Class Members. X. FOURTH CAUSE OF ACTION (Negligence) (On Behalf of Plaintiffs and Class Members) 115, Plaintiffs repeat and re-allege the allegations contained in each of the paragraphs 719 CLASS ACTION COMPLAINTSewuwr sauewn 1 12 2B 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 of this Complaint as if fully set forth herein. 116. Plaintiffs bring this cause of action on behalf of all current and former Sony employees and associates whose PII was compromised as a result of the data breach in November 2014. 117. Inccollecting and maintaining Plaintiffs’ and Class Members’ PII Sony had a duty to use reasonable care to protect and adequately secure the PII of Plaintiffs and Class Members from unauthorized access, use, and disclosure. 118. The duty Sony owed to Plaintiffs and Class Members to protect their PIT is also underscored by the California Data Breach Act, which was created to protect the personal information of California residents. 119. Sony knew, or should have known, of the industry standards and/or “best practices” of the industry when it came to protecting the private information of employees and applicants. Sony did not follow industry standards and/or “best practices” of the industry when it came to protecting Plaintiffs’ and Class Members’ PII. 120. Through its acts and omissions described in detail herein, Sony unlawfully breached its duty to use reasonable care to protect and secure Plaintiffs’ and Class Members” PIL. More specifically, Sony failed to maintain a number of reasonable security procedures and practices designed to protect the PII of Plaintiffs and Class Members. 121. Sony's negligence was a substantial factor in causing harm to Plaintiffs and Class Members. 121. Asa direct and proximate result of Sony’s breach of its duties, Plaintiffs and Class Members suffered economic damages. Plaintiffs and Class Members will have to spend time and money to protect themselves, their credit and their reputations. In addition, Plaintiffs and Class Members will continue to suffer damages because they are at an increased risk of identity theft. 123. Neither Plaintiffs nor Class Members contributed to the security breach, nor did they contribute to Sony’s employment of insufficient security measures to safeguard Plaintiffs” or Class Members’ PII. T20= CLASS ACTION COMPLAINTCor anneun 10 itt 12 1B 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 124, By reason of the foregoing, Plaintiffs, individually and on behalf of Class Members, seek all remedies available at law, including injunctive relief in an amount to be determined at trial. XI. PRAYER FOR RELIEF WHEREFORE, Plaintiffs, individually and on behalf of the proposed class, request the Court: a Certify this case as a class action on behalf of the classes defined above, appoint Susan Dukow and Yvonne Yaconelli as the class representatives, and designate the undersigned as class counsel; Award injunctive and other equitable relief as is necessary to protect the interests of Plaintiffs and Class Members, including, but not limited to, providing credit monitoring and other security measures necessary to safeguard Plaintiffs and Class Members; Award damages to Plaintiffs and Class Members in an amount to be determined at trial; Award Plaintiffs and Class Members reasonable litigation expenses and attorneys’ fees; Award Plaintiffs and Class Members pre-and post-judgment interest, to the extent allowable by law; Award such other and further relief as equity and justice may require. DATED: December 16, 2014 JOHNSOP & JOHNSON LLP L. Johnson NevilléL. Johnson Brian T. Shippen-Murray Attorneys for Plaintiffs and Plaintiff Class 72T- CLASS ACTION COMPLAINTDEMAND FOR JURY TRIAL Plaintiffs individually and on behalf of the proposed class hereby demand a trial by Jury. DATED: December 16, 2014 JOHNSON LLP By juglas L. Johnson Neville L. Johnson Brian T. Shippen-Murray Attorneys for Plaintiffs and Plaintiff Class <2 CLASS ACTION COMPLAINT