In the wake of the major data breach at Sony Pictures Entertainment of November 2014 in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees, nine former employees affected by the data breach sued Sony alleging that it was negligent in failing to protect their personal information. I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015. On September 7, 2015 I reported to you about an apparent settlement of the lawsuit. Now Judge Gary Kausner has given preliminary approval to the settlement indicated that it “appears to be fair and reasonable on its face.” Under the terms of the settlement, Sony will provide payments of up to $10,000 to individual employees who suffered identity theft related financial losses related to the data breach up to a total of 2.5 million dollars for all claimants. An additional 2 million dollars will be set aside to provide up to $1,000 to reimburse affected employees for the cost of their identity theft protection services. Sony will also provide credit monitoring services through AllClear through December 31, 2017. Finally, the plaintiffs’ lawyers will be paid up to 3.5 million dollars for legal fees. A final approval hearing has been scheduled for March 16, 2016.
The hacking of Sony should be a wake-up call to all companies. Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions. The list of Sony’s failings are many. Data banks were not properly segregated. The company was particularly susceptible to phishing attacks. It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information. These are just a few of Sony’s failings., however, many of these failings are shared by many companies that hold personal information of all of us.
There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer. Additionally, we should try to limit as much as possible the personal information that we provide to such companies. For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it. The Sony lawsuit was the first of a wave of lawsuits against companies such as Sony and Ashley Madison that have suffered data breaches that many believe could have been prevented with better security. Perhaps being held financially responsible for their lax security will serve as an incentive for companies to do a better job of protecting our information.