Sony recently offered to settle a class action lawsuit over the 2011 breach of its PlayStation Network, which exposed tens of millions of user names, addresses, passwords and credit card numbers (h/t Infosecurity).
According to the terms of the proposed $15 million settlement, the money will be paid out in the form of games. Class members who didn’t take advantage of an initial “Welcome Back” package of games and memberships offered in 2011 will receive one of 14 PlayStation 3 or PlayStation Portable games, as well as three of six PS3 themes or a three-month PlayStation Plus subscription. Qriocity users will get one month of free access.
“While we continue to deny the allegations in the class action lawsuits, most of which had been previously dismissed by the trial court, we decided to move forward with a settlement to avoid the costs associated with lengthy litigation,” a Sony official told Polygon.
Last year, the U.K. Information Commissioner’s Office fined Sony $250,000 (just over $400,000 at the time) for the breach.
Class action lawsuits following large data breaches are becoming routine. CBR reports that eBay was recently hit with a class action lawsuit in Louisiana over a February 2014 data breach that exposed approximately 145 million eBay users’ names, e-mail addresses, mailing addresses, phone numbers, birthdates and encrypted passwords.
The lawsuit claims that eBay’s failure to properly secure the data “has caused, and is continuing to cause, damage to its customers,” alleging that the fact that victims weren’t notified until May 2014 “further damaged the class members who were prevented from immediately mitigating the damages from the theft.”
Still, many of these lawsuits are ultimately dismissed due to the plaintiffs’ failure to prove actual damages.
Illinois’ Advocate Medical Group was hit with a class action lawsuit following the theft of unencrypted computers from its administrative office in July 2013, which exposed more than 4 million patients’ names, addresses, birthdates and Social Security numbers.
But that lawsuit and another were both recently dismissed, according to Modern Healthcare. In a July 10, 2014 ruling, judge James Murphy noted that there were “no allegations of present injury sufficient to sustain the negligence.”
Similarly, BankInfoSecurity reports that judge Elaine Bucklo recently dismissed a class action lawsuit seeking damages from Michaels Stores following the theft of approximately 2.6 million payment card numbers, noting that the plaintiffs failed to prove that they suffered “actual economic damage” as a result of the breach.
“The fundamental challenge for every one of these cases … is proving that harm occurred as a result of the breach,” Javelin Strategy & Research analyst Al Pascual told BankInfoSecurity. “Establishing a one-to-one relationship between breached data and fraud is a challenge for qualified professionals, and it is an impossibly high bar to set for plaintiffs to meet.”