Sony Pictures will be paying somewhere in the neighborhood of $5.5 million to $8 million to resolve a class action lawsuit over a large hack attack last winter that left the personal information of employees and ex-employees vulnerable. The details of the settlement were revealed in court papers on Monday night.
The lawsuit led by Michael Corona and other former employees at the studio is a consolidated action of more than a half-dozen negligence and privacy violation lawsuits that were filed after a data breach that has been attributed by the U.S. government to North Korea in anticipation of the release of The Interview.
The proposed deal contemplates a $2 million cash fund to reimburse class members up to $1,000 each for preventive measures taken to protect against identity theft. Meanwhile, the class action lawyers who represented the plaintiffs would be getting almost $3.5 million.
In addition to those firm cash payments, under the terms of the deal, Sony would be providing identity protection services to ex-employees for two years through a third party called AllClear ID. That company would cover credit monitoring and $1 million in identity theft insurance while Sony would pick up the tab for a further $2.5 million — or up to $10,000 per individual — for class members who experience unreimbursed loss from identity theft attributable to the Sony Pictures cyberattack.
The settlement appears to be a boon for the class action attorneys who worked on the case. These lawyers at the law firms of Keller Rohrback, Girard Gibbs and Lieff Cabraser could be walking away with a larger cash payment than the thousands of Sony employees who suffered a data breach. In a declaration by attorney Cari Laufenberg, the plaintiffs’ counsel say that during a six-month discovery period, they reviewed tens of thousands of documents produced by Sony, hundreds of thousands of documents disclosed on the Internet, took depositions of Sony executives, hired an economist and data breach expert to analyze damages and met several times for negotiations with the other side.
The money that Sony is paying out to workers could rise from $2 million to $4.5 million, but proving losses are attributable to cyberhackers could prove troublesome. Although several of the plaintiffs reported being victim to identity fraud in the months following the hack, Sony pointed to other data breaches at Target, eBay and Home Depot and questioned how employees would show the proximate cause of their injuries.
Negotiations for the deal began in June, around the time that U.S. District Judge R. Gary Klausner ruled the plaintiffs had established standing and sufficiently pled injury to advance the dispute beyond Sony’s motion to dismiss. The parties reached a deal in principle on Sept. 1, just as the parties were gearing up for a fight over class certification. It took another six weeks to complete the paperwork. Now, that the parties have presented the deal, a judge will analyze it for fairness and could pay particular attention to the huge cut that the lawyers will be taking. The attorneys who have worked on the case are already emphasizing the value of the ongoing identity protection services.
If approved, former employees will also have the opportunity to opt out of claims to continue pursuing legal action against Sony. At least two other lawsuits are pending in California state court, and as a condition of the deal, those plaintiffs will have to agree to a dismissal. Sony is admitting no liability or wrongdoing from claims that it could have taken better measures to ensure security before the hack occurred.
Here’s the full settlement agreement, which was signed by the parties on Monday.