Lawyers for former employees of Sony Pictures Entertainment (“SPE”) indicated in a September 2, 2015 filing that they have tentatively reached a settlement with SPE in the class action suit resulting from the data breach allegedly perpetrated by North Korean hackers in retaliation for SPE’s making and release of the movie “The Interview.” The proposed settlement heads off a trial that was slated for February 2016. terms of the settlement will not be known until October 19, 2015, when formal documentation of the settlement is due to the federal district court in Los Angeles. The court will then be responsible for approving the settlement.
At issue were plaintiffs’ claims that the data breach divulged highly sensitive employee personally identifiable information (“PII”) such as names, addresses, birth dates, Social Security numbers, visa and passport numbers, tax records, payroll information, and criminal background checks. SPE responded in court filings that despite the divulgence of the sensitive information, plaintiffs hypothesized harms have largely failed to occur. SPE also argued that plaintiffs’ pervasive sharing of their personal information on social media and other forums would make it difficult, if not impossible, to determine whether any harm was the result of the SPE data breach.
It will be interesting to see how the SPE settlement compares to other notable data breach settlements. As one example, most settlements to date have involved relativity small payout per class member, which commentators believe is a reflection of the fact that most consumers are not required to pay for fraudulent charges, retailers often provide free credit monitoring services, and few consumers suffer catastrophic harms. These settlements underscore how important it is for a company to disclose breaches early and provide free credit monitoring services to employees to mitigate any risk of credit impairment or identity theft. The SPE data breach, however, appears to have involved a much greater array of PII than in other high-profile data breaches. It remains to be seen if the scope of PII disclosed results in a larger settlement amount despite the apparent lack of significant harm to the SPE plaintiffs.