PlayStation Network customers involved in a class-action lawsuit against Sony could be waiting years for small compensation for damages they suffer as a result of their personal information being stolen during a breach last month, according to the lead attorney in the suit.
Depending on how cooperative Sony is, the case will take a year or longer to reach a settlement, says Ira Rothken, and it's up in the air what damages might be assessed.
Complicating factors are that credit card numbers may or may not have been stolen, and the encryption on them may or may not have been broken. If it turns out they have been sold and used by criminals, claims against the company could rise, Rothken says.
He is keying in on the fact that Sony says it didn't encrypt passwords, user names, email addresses and other personal information as demonstration that Sony didn't adequately protect the data.
The lawsuit claims Sony had inadequate firewalls, inadequate use of encryption and unauthorized storage of data, violating PCI standards and California law governing security of customer information.
Rothken says his firm is gathering information about the breach and assessing its credibility, but wouldn't discuss its details. He says the most credible information will come during deposition of Sony officials and others who investigate the breach directly.
Sony admits id didn't encrypt some of the data, and that is the basis of some of the charges. The PCI violation charge comes because there has never been a breach in which the victim company was in compliance with PCI, he says.
The consequences for Sony could be costly, Rothken says. If each of the 77 million PlayStation Network customers whose information was stolen gets just $10, that's $770 million out of Sony's pockets, he says.
The class action could be divided into subclasses, for those whose password was stolen or those whose credit card information was stolen, for example. Other subclasses could be those who paid for using PlayStation Network services but have been unable to because the network is down, or those who bought multiplayer games, but can't connect to play with other gamers.
These customers could become victims of what Rothken calls a viral data breach in which the information stolen from PlayStation Network is used to crack into other customer accounts. Many consumers use the same password over and over at different online e-commerce sites, so security of their accounts at those other sites could be jeopardized as well, he says.