Sony Agrees to Reimburse ID Theft Charges, Offer User Benefits to Settle Breach Lawsuit

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

June 16 — Sony has agreed to pay some $19 million to settle class litigation stemming from a 2011 data breach of its video game, music and video networks, according to a proposed settlement agreement filed June 13 in the U.S. District Court for the Southern District of California .  

In the proposed no-fault settlement, Sony Computer Entertainment America LLC, Sony Online Entertainment LLC (SOE) and Sony Network Entertainment International LLC agreed to pay for users' unreimbursed identity theft-related charges resulting from the intrusions, up to a total of $1 million.

In addition, Sony agreed to put up to $14 million toward making subscribers and former subscribers whole for the service costs associated with the gaming network.

The three entities have also agreed to pay up to $2.75 million in attorneys' fees and costs, up to $1.25 million in notice costs and separate claims administration costs.

Over 100 Million Accounts Compromised

In April 2011, Sony revealed that its PlayStation video gaming and Qriocity streaming music and video networks had faced a hacking breach that exposed the personal information of some 77 million user accounts. Sony later discovered a second, earlier breach that exposed personal data for some 24.6 million or more user accounts, bringing the total number of accounts compromised to some 101.6 million.

The plaintiffs sued various Sony entities in 65 class-action complaints alleging that they failed to provide reasonable network security to protect their users' information. Those actions were later consolidated, according to a memorandum in support of the plaintiffs' motion for preliminary approval of the settlement.

In October 2012, the district court concluded that the plaintiffs had Article III standing, but it dismissed their California negligence claim, unjust enrichment claims, bailment claims and several California statutory claims.

The court in January 2014 again ruled that the plaintiffs had standing, but it dismissed the majority of the plaintiffs' 51 causes of action without leave to amend. Among the remaining claims were several state consumer protection statute claims, as well as a California Database Breach Act claim and a partial performance/breach of covenant of good faith and fair dealing tort claim.

Breach Didn't Result in Legislation

In 2011, the Sony breach prompted an initial peak in congressional interest in data breach notification legislation, much as the December 2013 revelation of a massive customer payment card breach at retailer Target Corp. has fueled calls in 2014 for a federal data breach law.

But after the Sony breach, the 112th Congress didn't move any data breach legislation before adjourning in January 2013. It is far from clear that the 113th Congress will make any progress on similar legislation before it is scheduled to adjourn in January 2015.

Congress has been examining the possibility of enacting a breach notice law since 2005 to preempt state breach notice laws. But that roster of state laws has grown to 47 states and the District of Columbia, with the most recent being Kentucky in April.

Free Games, Themes, Subscriptions

The settlement class would include all U.S. residents “who had a PlayStation Network account or sub-account, a Qriocity account, or a Sony Online Entertainment account at any time prior to May 15, 2011.”

The reimbursements for identity theft-related charges couldn't exceed $2,500 per claim, according to the settlement. Those claims would be subject to a $1 million cap.

Other benefits offered to consumers would include free PlayStation 3 (PS3) and PlayStation Portable games, PS3 themes, limited “PlayStation Plus” subscriptions, limited “Music Unlimited” service subscriptions and virtual currency. Some PlayStation Network users would be eligible to receive cash payments equal to any unused credits in their accounts.

The benefits to PlayStation Network users who participated in Sony's “Welcome Back” package of benefits following the intrusions would be subject to a $4 million cap. The benefits to users who didn't participate in the program would be subject to a $6 million cap. After one of those caps was reached, remaining claimaints would receive a one-month PlayStation Plus subscription.

The amount of virtual currency benefits extended to SOE users would be reduced if those claims exceeded $4 million. SOE users would also be able to receive cash payments for unused credits in their accounts.

Barnow and Associates PC; Robbins Geller Rudman & Dowd LLP; the Law Offices of David A. McKay LLC; Grant & Eisenhofer PA; Strange & Carpenter; Blood Hurst & O'Reardon LLP and Casey Gerry Schenk Francavilla Blatt & Penfield LLP served as co-lead settlement class counsel. Ropes & Gray LLP represented the Sony entities.

Full text of the 104-page proposed settlement agreement is available at

Request Bloomberg Law Privacy and Data Security