This post first appeared on Mintz Levin’s Privacy & Security Matters blog
Settlement appears imminent in an employee class action against Sony Pictures Entertainment (SPE) arising from disclosure of their personally identifiable information (PII) in a massive data breach allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un.
A stipulation filed earlier this week by plaintiffs and SPE notified the court of the imminent settlement. Terms of the settlement are as yet undeclared, but will become known on or before October 19, the deadline set in the stipulation for filing a motion for preliminary approval of the settlement. Any classwide settlement will be subject to court approval after notice to members of the proposed class, who will have the right to object or to opt out of the settlement entirely.
The terms of the undisclosed settlement are likely to reflect the issues addressed in the parties’ briefing earlier this summer on plaintiffs’ motion for class certification. Plaintiffs’ brief in support of their motion focuses on the significant potential for harms to SPE employees due to the nature of the SPE breach. Unlike cases involving data theft limited to payment card numbers—as, for example, was the case in the Target and Home Depot cases—the SPE hack divulged highly sensitive employee PII such as names, addresses, birth dates, Social Security numbers, visa and passport numbers, tax records, payroll information, and criminal background checks.
Just as fanboys on social media were poring through the SPE e-mails for insider information about upcoming film releases, plaintiffs argued that fraudsters, scam artists and other funny people could mine sensitive PII to perpetrate identity theft against SPE employees.
SPE’s opposition brief counters the sound and the fury of plaintiffs’ lurid allegations by pointing out that, despite the sensitivity of the information released, the potential injuries hypothesized in plaintiffs’ papers have largely failed to occur. SPE provided free credit and identity monitoring services to employees in order to observe and report on suspicious activity and prevent identity theft losses. Employees were also provided with $1 million in identity theft insurance protection. As a result, SPE argued, none of the plaintiffs could establish that successful identity theft had been perpetrated against them. Moreover, class members’ pervasive sharing of personal information on social media with friends, neighbors and the world at large would make it difficult to determine whether any instance of identity theft had resulted from the SPE breach. As a result, SPE contended that determining whether any actual fraud loss could be traced to the SPE breach would be so individualized that a class could not be certified to pursue such claims.
Having thus staked out their respective claims, the parties soon knocked up against a court-ordered deadline to engage in non-binding mediation. The end result of that process was the settlement announced in this week’s stipulation.
It will be interesting to learn whether the nature of this breach results in more remunerative settlement terms than have been seen in recent consumer payment card data breach cases. For example, the pending consumer settlement in the Target data breach class action will pay $10 million to resolve claims of 40 million class members.
The “going rate” for such settlements is typically $1.00 or less per class member. It remains to be seen whether the SPE case, with greater potential for harm but still few reports of actual injury, results in a larger per-class member settlement amount.