On October 21, Florida-based health insurer AvMed, Inc. (AvMed) settled a data breach class action lawsuit for $3 million, even though no plaintiffs in the class demonstrated that they had suffered identity theft or any other type of fraud as a result of the breach. The agreement marked the first time a defendant has settled a data breach suit where the plaintiffs were unable to prove identity theft or similar harm. Click here to view the proposed settlement agreement.
The plaintiffs relied on an unjust enrichment theory to prosecute the case. In the absence of damages relating to identity theft, the settlement amount was based on the portion of plaintiffs’ insurance premiums that allegedly should have been used to protect their personal information.
Settlement Could Pave the Way for Future Data Breach Cases
This settlement, which was granted preliminary approval on October 24, may pave the way for future plaintiffs whose claims of unjust enrichment will likely be easier to prove than identity theft or fraud. The agreement could also cause an uptick in litigation and costlier settlements in the years ahead. For companies that store personal information, the AvMed settlement sets a precedent for recovery in cases where individuals are unable to prove fraudulent uses of their personal information. Additionally, the settlement could signal an increased desire by the courts to hold companies that experience security breaches financially accountable in court – even if no identity theft results from a breach.
The case against AvMed was initially dismissed in district court in July 2011, after the court found that the plaintiffs were unable to prove that injury had resulted from the theft of their personal information. In September 2012, the case was revived by the Eleventh Circuit, which found a link between the stolen information and certain instances of identity theft. Settlement talks resulting in the $3 million agreement followed.
In the AvMed settlement, the plaintiffs’ request for damages was based on an unjust enrichment claim. They argued that they had overpaid health insurance premiums, which allegedly account for the cost of protecting their personal information. The settlement agreement (which remains subject to a final approval hearing, scheduled for February 28, 2014) included a $10 annual premium refund, subject to a $30 cap, for affected plan members. The agreement also included payments to certain individuals who were able to prove identity theft as a result of the incident.
In previous data breach cases, plaintiffs were required to link breaches to a specific incident of fraud or identity theft, which can be difficult to prove. Unjust enrichment cases create a much lower bar to recovery, as virtually all companies that electronically store private information are required to protect that information. If failing to do so can become the basis for a claim, the AvMed settlement could signal a significant increase in recoveries in data breach cases.
However, companies with stringent security measures and up-to-date breach notification policies and procedures would likely have a stronger defense than AvMed in future breach lawsuits. The initial case was brought after a December 2009 theft of laptop computers containing unencrypted personal information (including names, social security numbers, addresses and medical information) of 1.2 million AvMed customers from a company conference room.
AvMed, a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), is required to comply with certain security measures to protect electronic protected health information. Requirements include data encryption and ensuring workplace security in areas where electronic protected health information is stored. AvMed’s failure to comply with HIPAA requirements provided a basis for recovery for failure to adequately secure protected health information. Similarly, defendants who fall demonstrably short of federal and state privacy laws will likely have less success in future litigation than those with an understanding of – and history of compliance with – relevant requirements.
Settlement Requires AvMed to Implement a Compliance Plan for Data Protection
In addition to the significant financial award, the settlement required AvMed to institute a compliance plan for data protection. The compliance features of the settlement include:
Mandatory security awareness and training programs for all company employees.
Mandatory training on appropriate laptop use and security for employees who access company laptops.
Upgrading all laptops with additional security mechanisms, including GPS tracking devices to help locate the devices if they are stolen.
Adopting password protocols and requiring encryption technology on all company desktops and laptops.
Installing physical security upgrades at company facilities and offices.
The agreed upon updates to AvMed’s compliance program provide an outline of key features of a robust security program. Companies looking to bolster their data security compliance programs can look to the AvMed settlement as a model for ensuring data security in an uncertain new landscape. A strong security program continues to be the best defense against potential data breach class action lawsuits. For more information on creating and implementing an effective security program to defend against data breaches, click here to view Manatt’s recent presentation, Navigating the New Risk Environment.