On February 21, a federal judge in the Southern District of Florida approved a $3 million data breach class action settlement agreement between AvMed, Inc. and plaintiffs. This case arose from a December 2009 theft of two unencrypted laptops storing the personal information of persons receiving healthcare coverage through AvMed. This settlement is significant because, for the first time, plaintiffs in a data breach case who did not suffer actual damages are permitted to claim a share of the settlement funds. Whether this approach serves as a model for future settlements is not clear.
Under the agreement’s terms, AvMed will establish a $3 million fund to pay the following:
- Class members whose personal information was actually on the stolen laptops, but who have not suffered identity theft, can receive $10 for each year they paid AvMed for health insurance coverage before the December 2009 incident, up to a maximum recovery of $30. This relief is intended to compensate class members for that portion of their premiums that plaintiffs contend AvMed should have devoted to adequate data protection protocols and procedures. This group comprises the “Premium Overpayment Settlement Class.”
- Those class members who actually suffered identity theft will be reimbursed for the amount of any proven monetary loss that is shown by that member to have occurred “more likely than not” as a result of the December 2009 breach. Members of this class may also claim under the Premium Overpayment Settlement Class. The parties have allocated $250,000 to cover identity theft claims by this sub-class.
- An incentive award of $10,000 to be split evenly among the two class representatives (for their efforts in serving as class representatives).
- Attorneys' fees and costs for the plaintiffs' class attorneys, in the amount of $750,000.
- The costs of sending notices to the settlement classes as well as all costs of settlement administration.
AvMed will retain the right to contest any submitted claims before a designated special master. This is particularly critical to those claims for identity theft damages because the claimants will be required to demonstrate, as noted above, that their alleged damages were “more likely than not” proximately caused by the December 2009 data breach. Specifically, this is the very standard that they would have had to meet at trial and is the standard that plaintiffs continue to find the most difficult to meet. Therefore, it remains to be seen how this portion of the agreement will be applied practically. The difficulties facing potential claimants are reflected by the fact that only $250,000 of the $3,000,000 fund is allocated for this segment.
In addition to creating the settlement fund, AvMed had agreed to implement the following data security steps before the settlement was even approved by the court:
- Conduct mandatory security awareness and training programs for all employees;
- For those employees whose responsibilities include the accessing of information on AvMed laptops, conduct additional mandatory training on appropriate laptop use and security;
- Upgrade all company laptops with additional security mechanisms (including GPS tracking technology);
- Implement full disk encryption technology on all company desktops and laptops so that the data stored on these devices is encrypted at rest;
- Implement new password protocols;
- Implement physical security upgrades at AvMed facilities and offices; and
- Review and revise written policies and procedures.
These seven steps are all efforts that any company handling sensitive information (whether it is personal data of customers or internal propriety data relating to research and development, marketing or human resources) should be implementing now – and if they are not doing so, they should start immediately.
Additionally, the significance of this agreement lies with the allocation of a fixed amount ($10 per year) targeted to funds that allegedly should have been devoted to data security investment by the defendant (typically arising from claims for unjust enrichment). Plaintiffs have pleaded this unjust enrichment theory in other data breach cases throughout the United States over the years without success. It remains to be seen whether this agreement will be the foundation for future claims based on these theories.
Finally, even though this particular case was directed against a healthcare industry actor, it would appear to be translatable to any other business sector handling third-party sensitive data, but especially those handling personal data (whether health or financial).
Therefore, while it is not clear whether this approach to settlement will ultimately take off, it is very clear that all businesses handling any sensitive third-party data should be examining their IT systems and related data security policies and protocols in an effort to: (i) identify security weaknesses; and (ii) remedy those weaknesses so as to minimize the risks of a data breach or other similar mishap.