Skip to main content

It’s A Wrap! Sony Pictures Data Breach Case Settles Without A Hollywood Ending For The Plaintiff Class

Everyone loves a good courtroom drama.  So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system.  Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees.  Their most intimate secrets, spilled over the Internet.  Who can help these poor souls?  Why, the brave and hard working class action lawyers, that’s who.  Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice.  Think “The Manchurian Candidate” meets “Erin Brockovitch."

But real life is rarely like the movies, even when it involves the movies.  Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”).  The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un.  And class action litigation predictably followed.  But the evil wrongdoers who faced the wrath of class counsel?  Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime.  So SPE, the studio victimized by the hack, would have to do.

And the result of this drama?  This past Wednesday, April 6, a federal judge in Los Angeles issued an order granting final approval to the previously reported settlement of the case.  The terms of the settlement, as detailed in the modified settlement agreement, provide three types of relief to the class.  First, SPE will establish a non-reversionary cash fund of $2 million to reimburse class members for costs expended to prevent identity theft.  Second, SPE will provide two years of identity theft protection services to class members.  These services are in addition to one year of such services that SPE had already provided to its employees separately from the lawsuit.  Third, SPE will provide a fund of up to $2.5 million to compensate class members for documented losses not covered through insurance provided by the identity theft component of the settlement or by other sources (e.g., credit card companies making good fraud losses on credit cards).  The settlement provides for “incentive awards” of $34,000 apiece to named plaintiffs, and discloses that class counsel will separately apply for $3,490,000 in attorneys’ fees.

Were this a movie, and not real life, the script would be sent back to rewrite.  For all of its gritty realism, the settlement lacks drama.  This was not a big windfall for the class.  Beyond the cost of extending existing identity theft protection – which the settlement tellingly does not value – the settlement only obligates SPE to pay $2 million.  The $2.5 million loss compensation component is entirely contingent on the volume of valid claims that may be submitted during the claims period.  The size of the settlement, compared to the vast publicity that the case generated, is quite modest.  Even a beaming Julia Roberts would have a hard time selling this outcome as the heartwarming finale of an old fashioned Tinseltown melodrama.

The modesty of the settlement is further betrayed by class counsel’s fee application.  Class counsel fees can be calculated either as a percentage of the class recovery (typically between 25% and 33% of the recovery) or based on the billable hours worked on the matter (the so-called “lodestar” method).  The fee application against SPE uses the lodestar method to justify the fee, which is a tacit concession of the underwhelming recovery in this case.  Requests for a percentage of the recovery inevitably accompany large settlements.  Lodestar requests are most common where the recovery is small.  Absent a lodestar justification, it would not be possible to obtain an award of fees equal to 78% of the best case class recovery.

Class counsel’s fee request is under advisement, so it remains to be seen whether the court will award fees in the amount requested.  But whatever fee award results, the overall settlement sends the message that it was not possible to settle the case at an amount commensurate with the effort expended by class counsel to litigate the case.

Class counsel’s motion for final approval of the settlement provides some clues why might be so.  SPE was the victim of a sophisticated cyberattack, such that it might prove difficult at trial to establish that the attack resulted from SPE’s negligence, and not from some unforeseen intrusion that could not be avoided through the exercise of reasonable care.  A more significant constraint on settlement is the limited damages sustained by the class.  Although the court’s ruling on SPE’s motion to dismiss found that costs to avoid identity theft are cognizable damages – and those costs are covered by this settlement – such costs don’t add up to a lot of money.   Likewise, the limited fund to cover actual identity theft losses suggests that substantial individual claims have not materialized here.

In the end, it always comes down to injury and damages.  Cases targeting PII make good candidates to survive standing challenges because of the ability to use PII to perpetrate identity theft.  But even so, and even as criminals are increasingly focusing on PII theft, classes presenting high dollar value claims for actual damages have yet to materialize.  When such losses do occur, they may prove to be too individualized to make good candidates for resolution through class action settlements.  Nor would individuals with large dollar value personal claims have need of the class action mechanism to have their day in court.  For now, the SPE data breach settlement does not provide an auspicious bellwether for the plaintiff’s class action bar.

And . . . . scene!

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

Kevin M. McGinty

Member / Co-chair, Class Action Practice

Kevin is a member of the firm's Health Care Enforcement Defense Group and has significant experience representing health care–related entities in a variety of litigation matters, including contract, regulatory, False Claims Act and class action lawsuits. Kevin's health care industry clients have included pharmacies, PBMs, hospitals, clinical laboratories, diagnostic imaging providers, pharmaceutical companies and managed care organizations.