When I heard about this lawsuit I had to stop and wonder, what possible reason someone would have for suing Sony over this. My original thought is that this is like suing the Watergate Hotel on the behalf of the entire nation for the break-in that caused the downfall of a president and the upheaval surrounding it. Or perhaps suing somebody for allowing their car to get broken into and stolen, then it hits somebody on the way to a robbery.
However, there does seem to be some room for speculation of culpability because of negligence on Sony’s part. Here’s an excerpt from an article by Maximum PC.
…. First PSN went poof, then Sony announced that some hacker got their keyboard-calloused mitts on everyone’s personal info, and now, well, you can probably see where this is headed. Yep: straight to court.
The Rothken law firm has filed a federal class action lawsuit against SCEA on behalf of PSN’s 77 million-strong customer base. Specifically, the suit takes Sony to task for “failure to maintain adequate computer data security of consumer personal data and financial data” and demands compensation for “extra time, effort, and costs” users must now expend to help clean up Sony’s mess.
“Sony’s breach of its customers’ trust is staggering,” said Rothken co-counsel J.R. Parker. “Sony promised its customers that their information would be kept private. One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn’t.”
Now the sticky part: Is it even fair to blame Sony for the actions of some maniacal tube-bending Internet wizard? Could any security measure taken a hit like this and not come crumbling down? For obvious reasons, Sony’s not talking, but this Digital Foundry article is incredibly eye-opening. In a nutshell, PSN’s gaping security holes have been clearly visible since the Geohot jailbreaking brouhaha earlier this year, yet Sony did nothing to patch them up. There’s far more detail in the actual article, and it’s well worth a read.
So, does it constitute negligence on Sony’s part? That’s for the court to decide. …
In most lawsuits, actual damages need to be established, which in this case could be very hard to prove. Beyond the inconvenience of having to change login and credit card info, how do you assign actual blame on Sony for any erroneous charges on a credit card. Even PCI Compliance is not a law, enforcement left up to the merchant banks and the merchant to police. There is the Federal mandate regarding protection of privacy, also a loosely enforced and ill defined on all but the health industry. There’s also the issue of how far reaching this could be, as many public ISP and web hosting companies do not strictly enforce server patches.
I believe this issue will end up playing out as nothing more than a brief distraction, much like what the the BP oil spill has become; a lot of drum beating, finger pointing and hand wringing up front, with threats and promises made, then more finger pointing, maybe a slap on the wrist, then business as usual. In the end, it all comes down to how the consumer votes with their wallet.