Sony Pictures Entertainment and a class of plaintiffs have recently asked a California based federal court to approve a settlement of litigation arising from a data breach at Sony first reported last November. The breach resulted from some determined hackers who released the stolen data on the Internet. Included in the purloined data base was personal information of current and former Sony employees among others.

Last December, ten former Sony employees filed seven separate lawsuits alleging that Sony had failed to properly secure the data, and in so doing, violated statutory and common law. Eventually the plaintiffs filed an amended complaint and asked the court to certify the case as a class action on behalf of all former and current Sony employees whose personal information had been compromised. Although the court dismissed several claims included in the complaint, it denied motions to dismiss the case entirely.

To avoid protracted litigation, Sony ultimately negotiated a settlement with the class. It’s not unusual for parties in civil litigation to resolve disputes before handing the decision over to a jury. But the terms of this proposed deal give a sense of what a business may be facing if it finds itself the victim of a hacking. Sony has agreed to:

  1. Establish a non-reversionary cash fund of $2 million to reimburse Settlement Class Members, subject to certain per-person caps, for preventive measures they have taken to protect themselves from identity theft following the Sony Cyberattack.
  2. Provide certain identity protection services through AllClear ID to all Settlement Class Members for two additional years. All Settlement Class Members will be automatically enrolled in AllClear Secure, which provides identity repair and restoration assistance. Additionally, all Settlement Cass Members will be able to enroll, free of charge, in AllClear PRO, which includes, among other benefits, credit monitoring and $1 million in identity theft insurance: 
  3. Pay up to $2.5 million (up to $10,000 individually) to Settlement Class Members who experience unreimbursed losses from identity theft or misuse as a direct result of the Sony Cyberattack.

On top of all of that, class counsel will request attorneys’ fees, costs and expenses in an amount not to exceed $3,490,000. If my math is correct, that all adds up to nearly $8,000,000 not counting the cost of the AllClear service. The proposed settlement needs to get court approval before it’s final, and even then, individual class members may elect to opt out. So the case isn’t over just yet.

On its face, the settlement seems a bit onerous. Eight million dollars is a lot of money by any calculation. But I suspect it’s the best deal Sony could get. And to the extent it allows the company to turn the page it makes perfect sense. But the case and the settlement illustrate the perils lurking out there for companies that collect personal information. If you haven’t taken steps to protect your data and, more importantly, thought about what to do if you’re breached, this case should serve as compelling motivation.