The massive hack of Sony Pictures Entertainment is raising a potentially costly question for companies across the country: How much responsibility do they have for protecting the most sensitive information about their employees?

Former employees have filed four lawsuits this week accusing Sony of not doing enough to protect their private data, including Social Security numbers, salaries, performance reviews and personal medical information. The latest suit, filed late Thursday on behalf of a former technical director at Sony Pictures Imageworks and a former Sony Pictures director of technology, says the company’s negligence led to the release of personal information about 47,000 current and former employees.

“For decades, Sony failed, and continues to fail, to take the reasonably necessary actions to provide a sufficient level of IT security to reasonably secure its employees’ personal information,” the lawsuit says.

The Sony attack, already one of the most damaging corporate cyberattacks in history, is sending chills through corporate executive suites. Companies accustomed to protecting customers’ credit card data and their trade secrets, now face a more daunting task: Securing sensitive personnel data that until the attack on Sony was not considered valuable to hackers.

Lisa Sotto, a cybersecurity lawyer at New York-based Hunton & Williams, said “Companies need to be acutely focused on preventing these types of attacks because they are aimed at toppling a company.”


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.