Sony Pictures has reportedly reached a settlement in a lawsuit by former employees affected by data leaks that followed a cyber attack on the company in November 2014.
The lawsuit claimed Sony knew confidential employee data was inadequately protected before the breach. The terms of the agreement, which still requires court approval, have not been revealed.
The attack, which the FBI linked to North Korea, crippled the company’s network and exposed the personal details of 47,000 celebrities, freelancers, and current and former employees.
The leaked data included social security numbers, addresses, details of salaries and bonuses, performance reviews, criminal background checks and termination records, correspondence about employee medical conditions, and passport and visa information.
Some former employees have claimed to have been victims of identity fraud with credit cards being opened in their names and their personally identifiable information offered for sale online.
Sony and plaintiffs have asked that the class-action application hearing be delayed while they await approval of the settlement, reports The Verge.
Sony reviews legal options
Sony reportedly attempted to block the lawsuit by claiming none of the complainants suffered financial loss.
Commentators said that, after Sony’s request for dismissal was denied, the company probably decided that settling the issue out of court would be the better option.
In February 2015, Sony said it expects the investigation and remediation costs of the cyber attack to amount to $15m, but that does not include legal costs.
Sony’s legal situation was further complicated in April 2015 when WikiLeaks published around 30,000 documents from the breach in a searchable database.
In the wake of the Sony data breach, a key question all company boards should be asking themselves is if they have the right guidance for staff for the data the company holds, according to Sarb Sembhi, director at Storm Guidance.
“Boards should question whether their company has effective data governance policies, procedures and guidance with appropriate user awareness training,” he said.
Sembhi said good data governance can help any business understand the data it holds, the company data held by third parties, the company data held by third parties of third parties, and the data the company holds belonging to its customers’ customers.
“These two extreme conditions should not exist in most cases, but inevitably do, and therefore should be considered in your data governance policy and incident response plans,” he said.
According to Sembhi, guidance should include who will own the data, when things go wrong; who will own the risk in these circumstances; and what procedures staff are expected to follow, should there be a breach of that data in any of the businesses holding that data.