Billboard is reporting that Sony and the employees suing them as a result of the breach last year have come to a tentative agreement. The employees were suing for negligence and privacy violations.
If the settlement is approved, The employees will get $2 million – up to $1,000 each – for preventative measures taken against identity theft. The lawyers will get $3.5 million.
In addition, Sony is paying for identity theft protection for two years and $1 million in identity theft insurance.
Additionally, Sony will pick up another $2.5 million – up to $10,000 per employee – for unreimbursed losses as a result of the breach. Note that this is likely not going to be touched, so it doesn’t really count.
Why will this not be touched? Two reasons. First, losses on credit cards will be eaten by the banks and credit card associations – your liability, at most, is $50.
Second, and this is pretty novel, Sony is saying that with the Target breach, the Home Depot breach and many others, you need to prove that the unreimbursed loss was as a result of the hackers stealing your information from us and not one of the other breached sites. That is pretty much impossible to do.
If the judge approves this – and it is not clear that he will – who wins is the attorneys.
From Sony’s standpoint, spending $5 million plus attorney’s fees is way cheaper than actually protecting the information. Of course they have lots of other expenses – fixing the breached systems, lost business, film revenue, etc., but a lot of that is covered by insurance.
Sony’s former director of information security said “it’s a valid business decision to accept the risk’ of a security breach…I will not invest $10 million to avoid a possible $1 million loss.”
What we don’t know and will likely never be disclosed is whether Sony loses some picture deals as a result of the rather caustic comments attributed to their executives in leaked emails.
And there still could be shareholder lawsuits and other non-employee suits.
Information for this post came from Billboard.