Last November I reported to you about the tentative settlement of the lawsuit brought by former Sony Pictures Entertainment employees against the company that related to the massive 2014 data breach at Sony in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees was stolen. The plaintiffs alleged that Sony was negligent in failing to protect their personal information. I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015. Now Judge Gary Kausner has given final approval to the settlement. Under the terms of the settlement, Sony will provide payments of up to $10,000 to individual employees who suffered identity theft related financial losses related to the data breach up to a total of 2.5 million dollars for all claimants. An additional 2 million dollars will be set aside to provide up to $1,000 to reimburse affected employees for the cost of their identity theft protection services. Sony will also provide credit monitoring services through AllClear through December 31, 2017. To date 18,000 people have signed up for the free credit monitoring services.
The hacking of Sony should be a wake-up call to all companies. Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions. The list of Sony’s failings are many. Data banks were not properly segregated. The company was particularly susceptible to phishing attacks. It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information. These are just a few of Sony’s failings, however, many of these failings are shared by many companies that hold personal information of all of us.
There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer. Additionally, we should try to limit as much as possible the personal information that we provide to such companies. For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it. The Sony lawsuit was the first of a wave of lawsuits against companies such as Sony and Ashley Madison that have suffered data breaches that many believe could have been prevented with better security. Perhaps being held financially responsible for their lax security will serve as an incentive for companies to do a better job of protecting our information.