Another chapter in Sony Corporation’s data breach woes appears headed for settlement. This latest chapter, which follows other well-publicized Sony data breaches, began when hackers took control of the company’s computer network in November 2014.
Among the victims: thousands of employees and former employees whose personal data — including salary information, Social Security numbers, performance reviews and even detailed health records — was published on the Internet. The class action that followed alleged that the hacker was not particularly sophisticated and merely took advantage of security flaws and system weaknesses which Sony itself had identified, but failed to address because it did not consider them business priorities. In June 2015, a federal judge dismissed some of the plaintiffs’ claims, but allowed the case to proceed, noting that the publication of personal information on the Internet was “alone sufficient” to establish a credible threat of real and immediate harm to the named plaintiffs and putative class members.
On October 19, 2015, the parties filed a motion for preliminary approval of a proposed class settlement. Under the proposed settlement, Sony would be required to pay between $5.5 and $8 million, with $2 million of that amount being used to reimburse class members for preventive measures against identity theft. The remaining $2.5 million would go to class members who show that they have experienced actual unreimbursed losses as a result of identity theft. The settlement also requires Sony to continue providing identity protection services and insurance for two years, and requires that Sony separately pay up to $3.49 million in attorneys’ fees.
Assuming final approval of the settlement, and even as Sony brings this chapter to a close, the case serves as a fresh reminder that employers across all different sectors are responsible for safeguarding employee records and other personal information. Developing and implementing reasonable protective measures should be key points of any data security plan.
Corona v. Sony Pictures Entertainment, Inc., Case No. 2:14-09600 (C. D. California).