Did Sony fail to meet a competent standard? The fact that they got hacked is not sufficient proof they failed that standard. "Competent" does not mean invulnerable.

The exfiltration of 100TB of data from systems across their entire organization suggests so.

On a 100Mbit/s pipe that would take something like 3 months of full saturation to get that amount of data out. Realistically, we're probably talking about a hack spanning nearly every one of their systems for upwards of a year.