Data Breach Settlements
Courts have generally tended to dismiss consumer class-action lawsuits filed against companies that suffer data breaches. This is especially true in instances where the victims cannot show that the breach directly caused them any financial loss.
Recently, a federal court in Florida approved a $3 million settlement for victims of a data breach in which personal health information was exposed when multiple laptops, which contained unencrypted data, were stolen.
The laptops belonged to AvMed, a Florida-based health insurer, which exposed patient records belonging in to tens of thousands of its customers. Several victim later filed a class action lawsuit against AvMed.
While there was no proof that the plaintiffs suffered any direct losses or actual identity theft, the suit accused AvMed of negligence, breach of contract, breach of fiduciary duty and unjust enrichment.
The U.S. District Court for the Southern District of Florida, which heard the case, dismissed the claims against AvMed two separate times.
However, upon appeal by the plaintiffs, the U.S. Court of Appeals for the Eleventh Circuit allowed several of the claims, including those pertaining to negligence and breach of contract, to remain, and remanded the case back to the district court.
When AvMed again filed a motion to dismiss the class action claims, the district court refused to do so, prompting the health insurer and the plaintiffs to enter into settlement talks.
Under the agreement, each breach victim will receive up to $10 for each year they paid AvMed an insurance payment, up to a maximum total of $30. The plaintiffs contended that AvMed should have been spending this money to bolster its data security controls.
Under the agreement, AvMed has also agreed to pay actual damages to anyone whose identity was stolen as a result of the breach.
Additionally, the company agreed to implement new password protocols and install disk encryption and GPS tracking tools on its laptops.
The settlement is believed to be the first of it’s kind, in which victims of a data breach are compensated without having to prove that they actually suffered any losses from the theft of their personal data.
Historically courts have noted that consumers cannot make damage claims based on the chance that they could become identity theft victims sometime in the future.
If you would like some assistance with shoring up your security infrastructure, pleas contact the CCS Retail Systems Support Department.
– John