Sony Hack: Studio to Pay Employees More Than $5.5 Million Over Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.billboard.com/articles/business/6737348/sony-hack-studio-to-pay-employees-more-than-55-million-over-data-breach

Sony Pictures will be paying somewhere in the neighborhood of $5.5 million
to $8 million to resolve a class action lawsuit over a large hack attack
last winter that left the personal information of employees and
ex-employees vulnerable. The details of the settlement were revealed in
court papers on Monday night.

The lawsuit led by Michael Corona and other former employees at the studio
is a consolidated action of more than a half-dozen negligence and privacy
violation lawsuits that were filed after a data breach that has been
attributed by the U.S. government to North Korea in anticipation of the
release of The Interview.

The proposed deal contemplates a $2 million cash fund to reimburse class
members up to $1,000 each for preventive measures taken to protect against
identity theft. Meanwhile, the class action lawyers who represented the
plaintiffs would be getting almost $3.5 million.

In addition to those firm cash payments, under the terms of the deal, Sony
would be providing identity protection services to ex-employees for two
years through a third party called AllClear ID. That company would cover
credit monitoring and $1 million in identity theft insurance while Sony
would pick up the tab for a further $2.5 million -- or up to $10,000 per
individual -- for class members who experience unreimbursed loss from
identity theft attributable to the Sony Pictures cyberattack.

The settlement appears to be a boon for the class action attorneys who
worked on the case. These lawyers at the law firms of Keller Rohrback,
Girard Gibbs and Lieff Cabraser could be walking away with a larger cash
payment than the thousands of Sony employees who suffered a data breach. In
a declaration by attorney Cari Laufenberg, the plaintiffs' counsel say that
during a six-month discovery period, they reviewed tens of thousands of
documents produced by Sony, hundreds of thousands of documents disclosed on
the Internet, took depositions of Sony executives, hired an economist and
data breach expert to analyze damages and met several times for
negotiations with the other side.

The money that Sony is paying out to workers could rise from $2 million to
$4.5 million, but proving losses are attributable to cyberhackers could
prove troublesome. Although several of the plaintiffs reported being victim
to identity fraud in the months following the hack, Sony pointed to other
data breaches at Target, eBay and Home Depot and questioned how employees
would show the proximate cause of their injuries.

Negotiations for the deal began in June, around the time that U.S. District
Judge R. Gary Klausner ruled the plaintiffs had established standing and
sufficiently pled injury to advance the dispute beyond Sony's motion to
dismiss. The parties reached a deal in principle on Sept. 1, just as the
parties were gearing up for a fight over class certification. It took
another six weeks to complete the paperwork. Now, that the parties have
presented the deal, a judge will analyze it for fairness and could pay
particular attention to the huge cut that the lawyers will be taking. The
attorneys who have worked on the case are already emphasizing the value of
the ongoing identity protection services.

If approved, former employees will also have the opportunity to opt out of
claims to continue pursuing legal action against Sony. At least two other
lawsuits are pending in California state court, and as a condition of the
deal, those plaintiffs will have to agree to a dismissal. Sony is admitting
no liability or wrongdoing from claims that it could have taken better
measures to ensure security before the hack occurred.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!