Sony Pictures has agreed to pay between $5.5 million and $8 million to settle a class action lawsuit from employees whose personal information was exposed in a massive data breach in late 2014, according to The Hollywood Reporter.

If approved by the court, the settlement agreement would create a $2 million fund to reimburse those affected up to $1,000 each for measures taken to protect against identity theft, and the lawyers who represented the plaintiffs would receive up to $3.49 million in fees, costs and expenses.

Sony also agreed to provide two years of identity protection services through AllClear ID, and to pay up to $2.5 million (up to $10,000 per person) to class members who experienced losses from identity theft attributed to the cyber attack. "Valid claims will be paid as claims are validated and approved, up to an aggregate maximum of $2.5 million," the agreement states, noting that those claims must be filed by December 31, 2017.

The Hollywood Reporter suggests that attributing those losses might be a challenge, as Sony has already pointed to other major breaches, such as those at Anthem, Dropbox, Evernote, Home Depot and Target, as possible causes of identity theft.

"In today’s digital, data-led economy, customers, employees and stakeholders can demand more from digital businesses, more than ever before," Bill Berutti, president of the performance and availability product line and the cloud management/data center automation product line for BMC Software, told eSecurity Planet by email. "It is therefore imperative that businesses of all sizes, whether you are a high-profile brand such as Sony Pictures or an emerging SME, are taking every possible effort to secure customer data as a standard procedure -- not as an afterthought in response to a data breach."

Berutti suggests taking the following steps to take to improve perimeter security:

  • Respond as quickly as possible to a known vulnerability to close the 'SecOps gap' -- the time it takes for a company to reduce the time it is vulnerable to any given security issue
  • Secure all internal systems -- not just the most vulnerable
  • Take steps to secure third party software -- this can often be the gateway to a huge security incident within the company

"Taking these steps from the get-go could maintain reputations, prevent significant financial losses, and ultimately help retain a loyal employee and customer base for the future," Berutti said.

Recent eSecurity Planet articles have offered advice on improving database security and on using Apache Hadoop to reduce security risks.

Photo courtesy of Shutterstock.