November 2005, to be exact. That’s when Thomas Hesse, Sony BMG’s president of global digital business, appeared on National Public Radio and said, “Most people don’t even know what a rootkit is, so why should they care about it?”

Fourteen months and several lawsuits later, it’s probably safe to say that not only do a great many people know what a rootkit is, but they care a great deal about it.

A rootkit is a program often used to help hide other programs, such as malware, spyware or viruses, from users. Back in October 2005 computer security researcher Mark Russinovich found such a beast on his own computer, and traced its origin to a new Sony BMG CD he had played on his machine a month earlier.

In this case the rootkit was used to hide programs used for copy protection technology employed on certain Sony BMG releases. The discovery led to the record label recalling CDs from store shelves, Texas suing the record company under that state’s spyware law, followed by California and New York filing class-action suits.

Plus, the entire debacle gave the fledgling CD copy protection business a big black eye from which it has yet to recover. What’s more, the United States Department Of Homeland Security issued an advisory, calling the Sony BMG rootkit a security threat to computer owners.

Now Sony BMG has agreed to reimburse consumers up to $150 for any damage the rootkit may have inflicted upon consumers’ machines. In December 2006 the label settled similar cases with more than 40 states when it agreed to pay more than $4 million and reimburse customers.

The latest rootkit agreement is between Sony BMG and the Federal Trade Commission, which said the software “exposed consumers to significant security risks and was unreasonably difficult to uninstall.”

Under the terms of the agreement, Sony BMG is required to let customers exchange through the end of June any of the label’s CDs that contained the rootkit. The label must also reimburse the customers up to $150 for any damage that might have occurred from attempting to remove the software.

Additionally, Sony BMG must clearly disclose any limitations regarding consumers’ use of music CDs. The label is also prohibited from installing any software included on CDs without consumer consent and is barred from using any user information that might have been collected via the rootkit.

Finally, for the next two years the label must provide an uninstall tool and patches to repair security problems caused by the rootkit. The label must also advertise those fixes and publish information describing the exchange and reimbursement program on its Web site.

Sony BMG does not have to admit to any law violation in the settlement, which is subject to public comment for 30 days before the FTC makes a final decision.

But no matter what the FTC decides, it’s a sure bet that more people know what a rootkit is today than they did in 2005.