Last week, a judge for the Southern District of Florida gave final approval to a settlement between
health insurance provider AvMed and plaintiffs in a class action
stemming from a 2009 data breach of 1.2 million sensitive records
from unencrypted laptops. The settlement requires AvMed to
implement increased security measures, such as mandatory security
awareness training and encryption protocols on company laptops.
More notably, AvMed agreed to create a $3 million settlement fund
from which members
can make claims for $10 for each year that they bought
insurance, subject to a $30 cap (class members who experienced
identity theft are eligible to make additional claims to recover
their monetary losses). According to Plaintiffs' Unopposed Motion and Memorandum in Support of
Preliminary Approval of Class Action Settlement
("Motion"), this payment to class members
"represents reimbursements for data security that they paid
for but allegedly did not receive. The true measure of this
recovery comes from comparing the actual, per-member cost of
providing the missing security measures—e.g., what AvMed
would have paid to provide encryption and password protection to
laptop computers containing Personal Sensitive Information, and to
otherwise comply with HIPAA's security
regulations—against what Class members stand to receive
through the Settlement" (p. 16). It's been reported that
this settlement marks the first time that a data breach class
action settlement will offer monetary reimbursement to class
members who did not experience identity theft. In defending the
fairness, reasonableness, and adequacy of the settlement,
plaintiffs noted in the Motion, "[b]y making cash payments
available to members of both Classes—i.e., up to $30 to
members of the Premium Overpayment Settlement Class, and identity
theft reimbursements to members of the Identity Theft Settlement
Class members—the instant Settlement exceeds the benefits
conferred by other data breach settlements that have received final
approval from federal district courts throughout the country"
The finalization of this settlement marks the end of a hard
fought battle between the parties. After AvMed obtained a dismissal
with prejudice in the District Court based on plaintiffs'
failure to allege a cognizable injury, the dismissal was appealed
to the Eleventh Circuit. Resnick v. AvMed, Inc., 693 F.3d
1317 (11th Cir. 2012). There, the Eleventh Circuit found that
plaintiffs had established a plausible causal connection between
the 2009 data breach and their instances of identity theft. The
court also determined that plaintiffs' allegations —that
part of the insurance premiums plaintiffs paid to defendant were
supposed to fund the cost of data security, and that
defendant's failure to implement that security barred it from
retaining the full amounts received—were sufficient to state
a claim for unjust enrichment. On remand, AvMed answered
plaintiffs' complaint and filed a motion to strike class
allegations, which was denied by the District Court as
We've been particularly interested in this case for quite
some time. Last year, we
blogged about the unique nature of the settlement after the
agreement was reached. Class action plaintiffs' lawyers in the
data breach context have often had their cases dismissed on the
basis that they are unable to prove the class suffered any sort of
injury or loss. With the AvMed settlement now final, we expect
plaintiffs' lawyers to try to leverage similar payment terms
into their own data breach class action settlements. As we
previously noted, class action settlements are only binding upon
the parties that enter into them, but their terms can serve as
models for future proposed settlements.
This article is presented for informational purposes only
and is not intended to constitute legal advice.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In August 2015, the FBI issued an alert describing the newest form of cyberattack—the Business Email Compromise ("BEC").[i] BEC is a sophisticated mutation of the now-common spear phishing data breach technique.
Following a private challenge by an Austrian law student to the storage by Facebook of his personal data on servers located in the United States, the EU Advocate General has filed an advisory opinion with the European Court of Justice recommending that the EU-U.S. safe harbor of privacy principles be invalidated.
State breach notification statutes are being amended on almost a monthly basis. Several laws have, or will soon have, a mandatory notification deadline for notifying affected individuals after the discovery of the incident.