WILMINGTON, Delaware/NEW YORK (Reuters) - Sony Corp could face legal action across the globe after it belatedly disclosed one of the biggest online data breaches ever.
In the United States, several members of Congress seized on the breach, in which hackers stole names, addresses and possibly credit card details from users of Sony’s PlayStation Network, to push for tougher laws protecting personal information.
The staff of a House of Representatives subcommittee were directed to investigate the hacking incident.
Attorneys general, who act as consumer advocates, had begun investigating the matter or reviewing it with staff in several states, including in Iowa, Connecticut, Florida and Massachusetts, according to their offices.
One U.S. law firm filed a lawsuit in California on behalf of consumers and requested the court to certify the case as class action.
In Britain, a government watchdog has already launched an investigation of the incident, which put credit card information at risk.
Britain’s Information Commissioner’s Office said it had contacted the company and was investigating whether Sony violated laws that require it to safeguard personal information. The commissioner’s investigation would depend in part on whether Sony stored user information in Britain.
While the Japanese electronics company pulled the plug on the PlayStation network on April 19, it did not tell the public about the data theft until Tuesday.
The disclosure sparked immediate outrage among gamers and revived criticisms of Japan’s corporate culture that plagued Toyota Motor during its huge automotive recall in 2010.
Shares in Sony fell 5 percent on Thursday as the massive leak of data threatened to crimp its business.
A Sony spokesman has said that after learning of the breach it took “several days of forensic investigation” before the company knew consumers’ data had been compromised.
Sony said on Tuesday that hackers accessed personal details on 77 million users.
Late on Wednesday, Rothken Law Firm filed a lawsuit on behalf of an individual plaintiff named Kristopher Johns against Sony in the Northern District of California court.
“This suit seeks to redress Sony’s failure to adequately provide service to PlayStation consoles and PlayStation Network,” the lawyers for the plaintiff said in a court filing.
The plaintiff has requested the court to certify this case as class action and has also sought unspecified monetary damages, according to the filing.
Sony did not immediately return a call on Wednesday seeking a comment.
“This is a huge data breach and the clients who have called are really upset, not just because of the data breach but it looks like Sony sat on information for as much as five days,” said Jay Edelson, an attorney at law firm Edelson McGuire.
Edelson’s firm specializes in class-action lawsuits over data breaches. He said he would decide in the next 24 hours whether to file a lawsuit.
The incident could give momentum for tougher policies in the United States.
Representative Mary Bono Mack of California said she directed staff of the House subcommittee for commerce, manufacturing and trade, which she chairs, to begin investigating the matter to determine if hearings are needed.
Representative Bobby Rush of Illinois said he would reintroduce legislation that would require companies to have reasonable security measures and Senator Tom Carper of Delaware said he hoped for a comprehensive cyber security bill this year.
U.S. regulators could get involved as well. The Federal Trade Commission has been known to pursue companies that failed to safeguard consumer data. It could investigate if it determines Sony failed to tell its customers about the company’s privacy policies.
A spokeswoman for the agency declined to comment.
Sony reported the breach to the FBI’s cybercrimes unit in San Diego, which is investigating, a person familiar with the probe told Reuters. The person was not authorized to discuss the matter publicly.
Sony may come under the toughest scrutiny from non-U.S. regulators, which have stricter consumer privacy laws.
“European countries are going to go crazy and be all over this,” said Dan Burk, a professor at the University of California, Irvine School of Law. “They are absolutely obsessed about companies holding personal information.”
Burk said subscribers will need to show they suffered damages as a result of the hacking for a U.S. lawsuit to have legs.
“If it was just hacking for fun, then it’s going to be tough,” he said.
The case in re: Kristopher Johns vs Sony Computer Entertainment America LLC, Case No. 11-2063, U.S. District Court, Northern District of California (San Francisco Division)
Additional reporting by Diane Bartz in Washington, Georgina Prodhan in London, Dan Levine in San Francisco and Sakthi Prasad in Bangalore; Editing by Maureen Bavdek and Tim Dobbyn