Sony Breach Settlement: A Good Deal?

Data Breach , Litigation , Privacy

Court Grants Final Approval in Class-Action Case Sony Breach Settlement: A Good Deal?

A court has approved the settlement of a class-action lawsuit filed against Sony Pictures Entertainment on behalf of current and former employees in the wake of the company's massive 2014 breach that U.S. officials blamed on North Korea.

See Also: CISO Discussion: Secure Code

But some experts say the consumer protections provided in the settlement do not go much beyond what the company should have routinely provided to victims in the wake of a breach.

"The settlement focused on the kinds of things that companies normally do when there is a security breach - provide credit monitoring and give notice," says privacy attorney Kirk Nahra of the law firm Wiley Rein in Washington, D.C. "They probably should have done all of this already, but I'm not surprised that this was included, nor am I surprised that this isn't a 'bigger' settlement."

The Settlement Details

The total value of the multimillion dollar settlement won't be known until all current and former employees have the opportunity to sign up for the benefits offered. Earlier reports valued the settlement at up to $8 million (see: Sony Breach: No 007 to the Rescue). But the news site Deadline.com reports it could be worth as much as $15 million.

The lawsuit, filed in December 2014, alleged that Sony Pictures failed to secure its computer systems, servers and databases, "despite weaknesses that it has known about for years." The lawsuit also asserted that Social Security numbers and personally identifiable information linked to current and former employees had been stolen by attackers, and that some of that PII was being bought and sold on cybercrime forums.

Under terms of the settlement, approved by a district court judge in California on April 6, Sony Pictures will provide ID theft identity protection coverage through 2017 for approximately 437,000 current and former employees affected by the breach.

The company will also reimburse certain expenses for those who have become victims of ID theft because of the breach.

So far, Sony has committed $7 million to notify those affected by the breach and establish a fund to reimburse them for uncovered ID theft losses, the Associated Press reports.

Sony Pictures declined to comment about the settlement.

A Fair Settlement?

Privacy attorney Nahra says it's unlikely that employees affected by the breach will be able to prove actual harm stemming from the Sony Pictures' breach. And, as a result, they likely won't qualify for reimbursement for expenses associated with ID theft or misuse, he says.

"The Sony breach is a tricky one, because it focused on so many things beyond personal data," Nahra says. "There is no particular focus of general attention on the data of employees, and little indication that this information was subject to material risks. ... There are the same legal issues here that we see in any breach case - is there any actual harm from the breach? There hasn't been any general indication of any harm, to my knowledge, in this situation at all. Also, unlike other situations, where the personal data was the key focus of a hacker or a data theft, this is very much a byproduct of a broader attack, so maybe there is even less reason to see any actual harm here."

Neal O'Farrell, executive director of The Identity Theft Council, a victim support network, says it's unfortunate so much of the settlement focuses on offering ID theft monitoring services. "That offer is of little value, will do little to protect victims for the rest of their lives, and seems more of a PR stunt than a genuine concern for the plight of victims," he says. "Worse than that, it gives victims a false sense of security."

Malware Infection

In November 2014, a number of Sony Pictures' systems were infected with wiper malware that's designed to erase PC and server hard-drives (see Sony Pictures Cyber-Attack Timeline). Systems were reportedly infected three days after Sony Pictures received an email from a self-proclaimed hacktivist group known as Guardians of Peace threatening to do "great damage."

The hacktivist group claimed the attack was waged to punish Sony Pictures for releasing "The Interview," a satiric film that featured the fictional death of North Korean leader Kim Jong-un (see Sony Hacking Is a Hollywood Blockbuster).

Before the hackers infected Sony Pictures' systems with wiper malware, they stole tens of terabytes of data, including copies of unreleased movies and numerous private email exchanges, all of which they quickly began to leak (see Sony Breach Response: Legal Threats).

Although the U.S. government claims North Korea backed the attack, the North Korean government has denied those claims.

In December 2014, Sony Pictures filed a breach notification with California state authorities, reporting that current and former employees' names, addresses, Social Security numbers, driver's licenses, passport numbers, corporate credit card details, usernames and passwords, and salaries had likely been exposed. Sony also warned that some health information may also have been exposed, including medical diagnoses, dates of birth, health plan identification numbers, and personal and health-related information.