A federal judge dealt a blow to PlayStation users who say that a Sony security breach exposed more than 69 million personal and credit card accounts to theft.
The PlayStation Network, in conjunction with Qriocity, and Sony Online Entertainment, allows users with PlayStation 3 and PlayStation Portable consoles to play games over the Internet. For an additional fee, premium users can play against various third parties. Signup requires users to provide "personally identifying information to Sony, including their names, mailing addresses, email addresses, birth dates, credit and debit card information (card numbers, expiration dates and security codes) and login credentials," according to the court's summary.
A class says that hackers infiltrated the online system on April 16 or 17, 2011, because Sony negligently failed to provide adequate firewalls and safeguards.
The thieves allegedly made off with the personal info of millions of users. Three days later, Sony took the system offline, issuing a statement only that "[w]e're aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information," according to the complaint. PlayStateion Network and Qriocity remained offline for nearly a month and Sony Online Entertainment was down for two weeks, preventing users from accessing the services they had pre-purchased, the class says.
On April 26, while still investigating the data breach, Sony finally admitted the theft, stating that the system failure "may have had a financial impact on our loyal customers. We are currently reviewing options and will update you when the service is restored."
In May, Sony announced it would compensate users by providing "free identity theft protection services, certain free downloads and online services, and 'will consider' helping customers who have been issued new credit cards."
The January 2012 federal class action in San Diego contends that Sony knew or should have known that its system was vulnerable to such an attack. In 2011 "a PS3 user successfully 'jailbroke' his PS3 console and posted instructions for doing it," according to the court's summary of the complaint.
Despite the breach, Sony allegedly did nothing to beef up its safeguards. Sony immediately moved to dismiss, finding some relief from U.S. District Judge Anthony Battaglia last week.
The 36-page order dismisses several claims such as negligence, unjust enrichment, bailment and violations of California consumer protection statutes. Sony did not violate consumer-protection laws "because none of the named plaintiffs subscribed to premium PSN services, and thus received the PSN services free of cost," Battaglia wrote.
Battaglia also chucked the bailment charge with prejudice because "plaintiffs freely admit, plaintiffs' personal information was stolen as a result of a criminal intrusion of Sony's Network. Plaintiffs do not allege that Sony was in any way involved with the Data Breach." The unjust enrichment also failed with prejudice.
Finally, below are some excerpts from the PDF document (linked above) as follows:
ONY GAMING NETWORKS AND CUSTOMER DATA SECURITY BREACH LITIGATION
I. Factual Background
This action arises out of a criminal intrusion into the computer network system used to provide PlayStation Network (“PSN”) services. Plaintiffs, a putative consumer class, allege that Sony Computer Entertainment America, LLC (“SCEA”), Sony Network Entertainment International, LLC and Sony Network Entertainment America, Inc. (collectively, “SNE”), Sony Online Entertainment, LLC (“SOE”), and Sony Corporation of America (“SCA”) (collectively, “Sony” or “Defendants”) failed to follow basic industry-standard protocols to safeguard its customers personal and financial information, thereby creating foreseeable harm and injury to the Plaintiff class.
Sony develops and markets the PlayStation Portable (“PSP”) hand-held device and the PlayStation 3 (“PSP”) console (collectively, “consoles”) Among their key features are their ability to let users play games, connect to the Internet, access the PlayStation Network (“PSN”), Qriocity, and Sony Online Entertainment (“SOE”) (collectively, “Sony Online Services” or “SOS”), . For additional fees, the PSN also allows access to various third party services such as Netflix, MLB.TV, and NHL Gamecenter LIVE (“Third Party Services”).
These additional fees are paid to the source of the service rather than to Sony. Many who subscribe to these Third Party Services can only access them through their PSN account. As of January 25, 2011, PSN had over 69 million users worldwide,[Id], and SOE had over 24.6 million users worldwide. When establishing accounts with PSN, Qriocity, and SOE, Plaintiffs and other Class members were required to provide personally identifying information to Sony, including their names, mailing addresses, email addresses, birth dates, credit and debit card information (card numbers, expiration dates and security codes) and login credentials (“Personal Information”), which Sony stores and maintains on its Network. Sony continually monitors and records users’ PSN activities, purchases and usage, and maintains this usage data on its Network.
Plaintiffs allege that on April 16 or 17, 2011, hackers accessed Sony’s Network, stealing the Personal Information of millions of Sony customers, including Plaintiffs and the other Class members (the “Data Breach”). On April 17, 2011, Sony discovered that PSN and Qriocity user data had been stolen. Three days later, Sony took the PSN and Qriocity offline, stating that “[w]e’re aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information.” As a result of the Data Breach, Sony was forced to shut down the PSN and Qriocity for almost a month while it conducted a systems audit to determine the cause of the data breach. Meanwhile, SOE remained offline for more than two weeks.
During this prolonged downtime, Plaintiffs and the other Class members were unable to access PSN, Qriocity, and SOE, unable to play multi-player online games with others, and unable to use online services available through the PSN, Qriocity or SOE. Plaintiffs and the other Class members were also unable to access and use prepaid Third Party Services.
For the reasons set forth above, the Court GRANTS in part and DENIES in part Defendants’ motion to dismiss. Plaintiffs have until November 9, 2012 to file an amended Consolidated Complaint. Specifically, the Court makes the following findings with respect to Defendants’ instant motion:
1. GRANTS Defendants’ supplemental request for judicial notice as to all documents, but not as to the contents of the Privacy Protection Guidelines;
2. GRANTS Defendants’ motion to dismiss for lack of Article III standing as to Defendants SOE and SCA with leave to amend;
3. DENIES Defendants’ motion to dismiss for lack of Article III standing as to the remaining Sony Defendants;
4. GRANTS Defendants’ motion to dismiss as to the Sixth Cause of Action for negligence with leave to amend;
5. GRANTS Defendants’ motion to dismiss as to the First, Second, and Third Causes of Action under the UCL, FAL, and CLRA with prejudice as to non-resident Plaintiffs and Plaintiffs claims for restitution, and with leave to amend with respect to the remaining claims;
6. GRANTS Defendants’ motion to dismiss as to the Fourth Cause of Action under the Breach Act with prejudice as to non-resident Plaintiffs, and with leave to amend as to resident Plaintiffs and all remaining claims;
7. GRANTS Defendants’ motion to dismiss as to the Fifth Cause of Action alleging unjust enrichment with prejudice;
8. GRANTS Defendants’ motion to dismiss as to the Seventh Cause of Action alleging bailment with prejudice.