In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL No.11md2258 AJB (MDD)

CourtUnited States District Courts. 9th Circuit. United States District Court (Southern District of California)
Decision Date21 January 2014
Docket NumberMDL No.11md2258 AJB (MDD)


MDL No.11md2258 AJB (MDD)


DATED: January 21, 2014

As to all member and related cases


(Doc. No. 135)

This action arises out of a criminal intrusion into a computer network system used to provide online gaming and Internet connectivity via an individual's gaming console or personal computer. Plaintiffs, a nationwide putative consumer class, allege that Sony Computer Entertainment America, LLC ("SCEA"), Sony Online Entertainment, LLC ("SOE"), and Sony Network Entertainment America, Inc. ("SNE") (collectively, "Sony" or "Defendants"), failed to provide reasonable network security, including utilizing industry-standard encryption, to safeguard Plaintiffs' personal and financial information stored on Sony's network.1

Page 2

Presently before the Court is Sony's motion to dismiss Plaintiffs' First Amended Consolidated Class Action Complaint ("FACC"). (Doc. No. 135.) Sony also submitted a request for judicial notice, (Doc. No. 135, Ex. 2), a notice of lodgment of foreign authorities, (Doc. No. 135, Ex. 2), and a notice of supplemental authorities, (Doc. No. 137).2 Plaintiffs filed an opposition to Sony's motion to dismiss on May 6, 2013, (Doc. No. 146), and Sony filed a reply on June 20, 2013, (Doc. No. 150). The Court issued a tentative ruling on October 10, 2013, (Doc. No. 157), and held a hearing on the motion on October 18, 2013, (Doc. No. 158). On October 24, 2013, the Court ordered supplemental briefing on seven of Plaintiffs' consumer protection claims. (Doc. No. 159.) Sony filed its supplemental brief on November 15, 2013, (Doc. No. 163), Plaintiffs filed their opposition on December 6, 2013, (Doc. No. 164), and Sony filed its reply on December 20, 2013, (Doc. No. 165). On January 7, 2014, Plaintiffs filed a notice of supplemental authority informing the Court of a recent memorandum decision issued by the Ninth Circuit.3 (Doc. No. 166.) For the reasons set forth below, the Court GRANTS IN PART and DENIES IN PART Sony's motion to dismiss.


I. Factual Background

Sony develops and markets the PlayStation Portable hand-held device ("PSP") and the PlayStation 3 console ("PS3") (collectively, "Console" or "Consoles"). (FACC ¶¶ 38, 39.) Both Consoles allow users to play games, connect to the Internet, and access

Page 3

Qriocity, Sony Online Entertainment Services, and the Play Station Network ("PSN") (collectively, "Sony Online Services").4 (Id. at ¶¶ 40-43.) Through the PSN, which is offered to consumers free of charge, users can engage in multi-player online games, (Id. at ¶ 27), and for additional one-time fees, the PSN allows users to purchase video games, add-on content ("map packs"), demos, themes, movie trailers, TV shows, and movies (collectively, "Downloads"). Users can also access various prepaid third party services by connecting to Sony Online Services via their Consoles or computers, including Netflix, MLB.TV, and NHL Gamecenter LIVE (collectively, "Third Party Services"). (Id. at ¶ 45).

Before establishing a PSN, Qriocity, and/or SOE account, Plaintiffs and other consumers were required to enter into a Terms of Service User Agreement with Sony and agree to Sony's Privacy Policy. (Id. at ¶¶ 55-60.) As part of this registration process, Plaintiffs and other consumers were required to provide Sony with personal identifying information, including their names, mailing addresses, email addresses, birth dates, credit and debit card information (card numbers, expiration dates, and security codes), and login credentials (collectively, "Personal Information").5 (Id. at ¶ 35.) On April 1, 2011, SCEA transferred its online PSN and Qriocity service operations to SNEA, including transferring Plaintiffs' and other Class members' Personal Information to SNEA for handling. (Id. at ¶ 54.) As a result of the transfer, SNEA required all PSN and Qriocity users to enter into a new Terms of Service User Agreement ("PSN User Agreement") and Privacy Policy ("PSN Privacy Policy"). (Id. at ¶¶ 55, 56.) Plaintiffs

Page 4

who established accounts with SOE had to agree to SOE's User Agreement ("SOE User Agreement") and SOE's Privacy Policy ("SOE Privacy Policy"). (Id. at ¶ 60.)

On April 16, 2011 or April 17, 2011, Plaintiffs allege that hackers accessed Sony's Network (computer systems, servers, and databases), thereby stealing the Personal Information of millions of Sony's customers, including Plaintiffs. (Id. at ¶ 65.) Plaintiffs further allege that even though Sony discovered that PSN and Qriocity user data had been stolen as early as April 17, 2011, Sony did not notify Plaintiffs and other affected consumers at that time. (Id. at ¶ 70.) Instead, on April 20, 2011, Sony simply took the PSN and Qriocity systems offline, stating that "[w]e're aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information." (Id. at ¶ 71.) Thereafter, the PSN and Qriocity systems remained offline for almost a month while Sony conducted a system audit to determine the cause of the breach. (Id. at ¶ 124.) During this time, Plaintiffs and the other Class members were unable to use Sony Online Services, and many were unable to access Third Party Services via their Consoles. (Id.)

Between April 21, 2011 and April 25, 2011, while Qriocity and the PSN remained offline, Plaintiffs allege that Sony continued to misrepresent the circumstances of the breach. (Id. at ¶¶ 73-77.) Specifically, Plaintiffs allege that Sony did not inform the public of the breach until April 26, 2011, when Sony made a public statement that user Personal Information had been compromised, and encouraged those affected to "remain vigilant, to review [their] account statements[,] and to monitor [their] credit reports." (Id. at ¶ 78.) Shortly thereafter, Plaintiffs contend Sony admitted that its failures "may have had a financial impact on our loyal customers. We are currently reviewing options and will update you when the service is restored." (Id. at ¶ 79.) Plaintiffs further allege that Sony conceded that "[s]ome games may require access to PSN for trophy sync, security checks[,] or other network functionality[,] and therefore cannot be played offline." (Id.) On May 2, 2011, Sony also took SOE offline, (Id. at ¶ 82), and announced that SOE user Personal Information may have been compromised in the breach,

Page 5

(Id. at ¶ 83). This was the first time SOE users were informed that their Personal Information may have been compromised as a result of the intrusion. (Id. at ¶ 83.)

On April 30, 2011, ten days after Sony took the PSN and Qriocity systems offline, Sony announced that it would compensate PSN and Qriocity users in the United States with free identity theft protection services, certain free downloads and online services, and would consider helping customers who had to apply for new credit cards. (Id. at ¶ 85.) Likewise, on May 12, 2011, ten days after Sony took the SOE network offline, Sony announced that it would compensate SOE users in the United States by offering free identity theft protection services, one month of free service, and certain free in-game bonuses and currency. (Id. at ¶ 86.)

II. Procedural History

On August 16, 2011, the Judicial Panel on Multidistrict Litigation transferred certain civil actions from various district courts across the country into one consolidated action before this Court. (Doc. No. 1.) On November 11, 2011, the Court appointed a Liaison Counsel and a Plaintiffs' Steering Committee ("PSC") to streamline the process. (Doc. No. 61.) On January 31, 2012, the PSC filed a Consolidated Class Action Complaint ("Consolidated Complaint"), (Doc. No. 78), and on March 16, 2012, Sony moved to dismiss the Consolidated Complaint, (Doc. No. 94). The Court heard oral argument on the motion on September 27, 2012, and granted in part and denied in part Sony's motion to dismiss the Consolidated Complaint on October 11, 2012. (Doc. No. 120.) Plaintiffs filed the operative FACC on December 10, 2012. (Doc. No. 128.) The FACC contains eleven named Plaintiffs from nine different states and alleges fifty-one independent causes of action.6 (Id.)

III. Named Plaintiffs

Robert M. Bova ("Bova") resides in Tewksbury, Massachusetts and alleges that he acquired his PS3 in 2008. (FACC ¶ 18.) In or around 2009, Bova created a PSN

Page 6

account and provided his Personal Information to Sony, including information possibly regarding his Bank of America Visa and TD Bank debit card accounts. (Id.) Bova used the PSN through his PS3 to play games and to download additional game content such as "map packs." (Id.) As a result of the intrusion, Bova's Personal Information was stolen, he was unable to access the PSN during the brief interruption in service, and he purchased credit monitoring services at a cost of approximately $10.00 per month. (Id.) Bova does not allege when he purchased credit monitoring services or that he experienced any unauthorized charges as a result of the intrusion. (Id.)

Christian Pierce...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT