A recent article from Yahoo reveals the potential legal damages from last year's hack of Sony Pictures. According to the article, Sony will be paying somewhere between $5.5 and 8 million to resolve a class action suit from its employees. The personal information of current and former employees was left exposed and many were subject to identity fraud.
The proposed deal also includes a $2 million fund to reimburse employees up to $1,000 each to take measures to prevent identity theft. Sony will also be providing identity protection services to ex-employees for two years and additionally cover any unreimbursed losses attributable to the hack.
The law firms associated with this case are also pocketing large sums of money. During a six-month #eDiscovery period, they reviewed tens of thousands of documents from Sony and hundreds of thousands of documents disclosed from the internet. There was also a data breach expert hired to analyze damages.
The obvious fact of all that was stated above is the tremendous cost for all involved. Sony has not only had its reputation tarnished from the lurid details released from the initial hack, they are now on the hook for a large payout to their own employees. The underlying issue is that a proper information governance (#InfoGov) strategy could have prevented the leaking of sensitive employee information. A breach from an outside hacker is impossible to predict, but Sony was not properly prepared and did not have the appropriate protocols in place regarding their employees' data.
Data security and information governance are two distinct areas, but one without the other is relatively pointless. We have discussed in the past the importance of data disposal and this case is a perfect example. Moreover, moving your records (especially sensitive ones) through the appropriate lifecycle is critical and the consequences of failing to do so are easy to observe.
This was an embarrassing and expensive lesson for Sony to learn but hopefully it sheds even more light on the importance of complete information governance.