In December 2014, movie theaters found themselves in a predicament. Following an anonymous hacker’s threat to release confidential data stolen from Sony Pictures’ computer network (and the subsequent fulfillment of that threat), hackers threatened a terrorist attack on any theater that showed Sony’s film “The Interview.” In addition to concerns for the safety of their employees and patrons, the theaters presumably considered potential financial harm and legal consequences if the threatened violence became a reality. The vast majority of theaters decided that it was too risky to screen the movie.
Sony and movie theaters surely will not be the last companies ever threatened with embarrassment or violence, especially given the perceived success of the hackers’ threats. One issue that companies should therefore think about is the potential for being sued if a threat is made against them, carried out, and someone is injured or harmed. A claim that the company was negligent in its handling of the situation would be expected. Negligence is the failure to use “the skill, care and diligence that a reasonably careful person would use under the same or similar circumstances.” Peffer v. Cleveland Clinic Found., No. 94356, 2011 Ohio App. LEXIS 390, at *21 (Cuyahoga Cty. Feb. 3, 2011).
A claim that a company was negligent in its actions (or inactions) following a threat would likely focus on whether the company owed a duty to the plaintiff and the scope of that duty. Evans v. Ohio State Univ., 112 Ohio App. 3d 724, 738, 680 N.E.2d 161, 170 (Franklin Cty. 1996) (“[T]he elements necessary to establish actionable negligence consist of the existence of a duty, a breach of that duty and an injury proximately resulting therefrom.”). Among the totality of circumstances relevant to the duty question would be whether there was a special relationship between the company and the plaintiff. Id. at 739, 680 N.E.2d at 170 (“The existence of a duty in a negligence case is a question of law for a court to determine and there is no formula for ascertaining whether such a duty arises. Rather, it has been stated that duty * * * is the court’s expression of the sum total of those considerations of policy which lead the law to say that the particular plaintiff is entitled to protection.”) (omission of text in original) (citation omitted); Kerans v. Porter Paint Co., 61 Ohio St. 3d 486, 491, 575 N.E.2d 428, 432 (1991) (“[B]oth state and federal courts have held that an employer may be liable for failing to take appropriate action where that employer knows or has reason to know that one of its employees poses an unreasonable risk of harm to other employees.”); Thomas v. Hart Realty, Inc., 17 Ohio App. 3d 83, 85, 1477 N.E.2d 668, 670 (Hamilton Cty. 1984) (per curiam) (finding that a landlord had no duty to reasonably protect his tenant in the context of a burglary, but stating that such a duty traditionally exists in other relationships, namely “common carrier and passenger, business invitor and invitee, custodian and ward, and innkeeper and guest”). The scope of a company’s duty can also be defined by statute. For example, Section 2305.51 of Title 23 of the Ohio Revised Code provides the circumstances in which a mental health organization may be held liable for harm following a patient’s threat.
Although blackmail and threats against businesses seem to be more common today with the anonymity afforded by the Internet and social media, they are not new. In Popovich v. Pechkurow, No. 3838, 1956 Ohio App. LEXIS 883, at *2-3 (Mahoning Cty. Mar. 27, 1956), a bar patron sued the bar’s owner after another patron (named Scullen) made–and fulfilled–a threat of violence. The facts of the case included that, after the bar’s owner broke up a fight between Scullen and the plaintiff, Scullen said that he was “going home to get his gun and come back and shoot everyone in the tavern.” Id. at *2. The defendant bar owner advised his patrons to finish their drinks, dimmed the lights, and locked the doors, but he did not notify the police department. Id. Approximately fifteen minutes later, Scullen returned with a rifle and fired several shots through a glass panel, which struck the plaintiff in his left leg. Id. at *2-3. In his lawsuit claiming negligence, the plaintiff argued that the bar’s owner “owed [him] a duty of reasonable and ordinary care to protect him” and to keep the bar in a “reasonably safe condition, which include[d] guarding the tavern against ‘foreseeable circumstances.'” Id. at *3. The appellate court upheld the trial court’s directed verdict for the defendant, finding that the shooting was not foreseeable and that the causal chain had been broken. Id. at *7.
Sony is now facing its own negligence claim. Ex-employees filed a class action lawsuit alleging that Sony was negligent in protecting private employee data. Michael Corona, et al. v. Sony Pictures Entertainment, Inc., Case No. 2:14-cv-09600-RGK-SH, Central District of California. The lawsuit alleges that, prior to the dissemination of employees’ Social Security numbers, employment files, and other information to the public, the hacker “warned Sony that it had obtained ‘secrets’ and threatened to leak [those secrets] to the Web.” Cmpl. ¶ 15. The lawsuit also alleges that “Sony owed a legal duty to Plaintiffs and the other Class members to maintain reasonable and adequate security measures to secure, protect, and safeguard their [personal identifying information] stored on [Sony’s computer network].” Id. ¶ 4. Sony allegedly breached that duty by, among other things, “failing to design and implement appropriate firewalls and computer systems, failing to properly and adequately encrypt data, [and] losing control of and failing to timely re-gain control over” the codes protecting Sony’s computer network. Id.
One fact that could impact the outcome of the ex-employees’ lawsuit is Sony’s history of data breaches and security issues. Evans, 112 Ohio App. 3d at 738, 680 N.E.2d at 170 (defendant’s knowledge of the bad actor’s prior criminal record affected the defendants’ requisite duty); Lindsay P. v. Towne Properties Asset Mgmt. Co., No. CA2012-11-215, 2013 Ohio App. LEXIS 4318, at *21-22 (Butler Cty. Sept. 23 2013) (reversing summary judgment for defendant landlord, and stating that, although “a landlord does not generally have a duty to protect its tenants from the criminal acts of third parties[,] . . . there are issues of fact regarding whether [defendant] should have reasonably foreseen [the] criminal activity” of a person who lived in the building but was not a lessee); Peffer, 2011 Ohio App. LEXIS, at *24 (“foreseeability is an element of a breach of the duty of care”). “Sony has had a long history of ongoing security issues,” says Scot Ganow, a colleague at Faruki Ireland & Cox P.L.L. with experience in privacy and security law. Mr. Ganow notes that, “[i]n 2011, hackers shut down the company’s PlayStation Network for more than twenty days, after stealing credentials, home addresses, and credit card information for 77 million users. Approximately a month later, over 20 million Sony Online Entertainment accounts were hacked. Any company in such a position should use such opportunities to understand and correct information security deficiencies.” In fact, the class action lawsuit alleges that “Sony failed to secure its computer [network], despite weaknesses that it has known about for years, because Sony made a ‘business decision to accept the risk’ of losses associated with being hacked.” Cmpl. ¶ 2.
The Sony leak and its subsequent fallout is an example of why companies should be proactive and analyze the potential consequences of a threat to their business, employees, or patrons. There unfortunately is no checklist of actions that would preclude a company from being found negligent. However, as stated by Mr. Ganow: “A federal regulator once told me that the worst thing to do is have an audit that identifies a known risk or vulnerability and then do nothing to mitigate or fix it. Thus, paying attention and taking action will not only prevent attacks and mitigate harm, it can lessen the likelihood of enforcement actions or successful litigation resulting from future breaches.” Consider yourself warned.