I was curious to see whether the Sony figure of $150 million included any fines or other breakdown on how the financial impack might play out. Sony’s financial forecast revision statement to their investors appears to not address fines from Visa or others. They also, rightly, do not speculate on what a settlement package might look like from the class action settlements that have already been filed.
To be clear, fines will probably be very steep. Comparing the Sony breach to Heartland Payments gives us a good picture to start with. Heartland was fined $60 million by Visa. $41.4 million by MasterCard, as well as $3.6 million by American Express. Heartland lost over 100 million debit and credit card numbers. Sony may have only lost a quarter of the credit card numbers, but I think the monetary penalty will be higher because of the extent of the breach and the foreknowledge that Sony might have had. Also the PCI Standards council has put a lot of work in using Heartland and TJX as example cases over the past several years. With such a large company being breached, they are likely to make another example out of them.