Tag Archives: class action

The AvMed Data Breach Settlement: What’s it going to Cost?

$3,000,000, based on the recently proposed settlement agreement involving the 2009 AvMed data breach incident.

Compu2

Once finally approved, this settlement would resolve the claims asserted against AvMed and would provide monetary relief to all affected customers, including customers who were not actually victims of an identity theft.  The proposed settlement in this case goes well beyond the credit monitoring offer that typically results from data breach class action settlements.  According to the plaintiffs’ unopposed motion to approve the settlement:

“All told, the Settlement is a tremendous achievement for the Plaintiffs and proposed Settlement Classes, and provides landmark relief that will serve as a model for other companies who face similar lawsuits.”

The Facts

AvMed, Inc. is a Florida-based health insurance provider.  In December 2009, two laptop computers were stolen from AvMed’s conference room.  The laptops contained the unencrypted personally identifiable information (PII) of 1.2 million AvMed customers.  The unencrypted PII consisted of customers’ names, addresses, Social Security numbers, and medical health information.

The Allegations

According to the affected customers, AvMed’s failure to properly secure their PII (in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards) resulted in (1) the theft of some affected customers’ identities, and (2) with respect to all affected customers, the overpayment for insurance coverage.

The first claim (i.e., based on customers whose identities were stolen and suffered economic harm as a result) is fairly straight forward and uncontroversial.

The second claim (related to the overpayment of premiums of all affected customers) is a bit more novel.  This second claim is based on an unjust enrichment theory, which the Eleventh Circuit addressed prior to remanding this case back to the district court.  The Eleventh Circuit recognized the customers’ unjust enrichment claim stating that when AvMed charged customers, as part of premium payments, to fund the administrative costs of data security, then AvMed is unjustly enriched to the extent it subsequently fails to implement the data security measures.  This notion is premised on the fact that customers paid monthly premiums to AvMed, a portion of which was presumably allocated to the data security efforts that AvMed promised its customers.  And, of course, AvMed did not implement these promised data security efforts, but nevertheless retained the entirety of the customers’ premiums.  Accordingly, under this theory of unjust enrichment, the customers paid for undelivered services and thus are entitled to partial refunds of their premiums.

The Settlement

Under the terms of the settlement, AvMed agrees to create a $3M settlement fund. Customers who can show that they actually suffered identity theft as a result of the 2009 data breach can make claims to recover monetary losses associated with the identity theft.  Additionally, all affected customers (whether they suffered actual identity theft or not), will be entitled to claim $10 for each year that they paid premiums to AvMed, subject to a cap of $30.  The cash payments available to all affected customers provide reimbursement for the portion of their insurance premiums that AvMed should have allocated to data protection and security.

Additionally, under the settlement, AvMed is required to implement wide-ranging measures to ensure that its customers’ PII are protected, including:

  1. instituting mandatory security awareness and training programs for all company employees
  2. instituting mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers
  3. upgrading all company laptop computers with additional security mechanisms, including GPS tracking technology
  4. adopting new password protocols and full disk encryption technology on all company desktops and laptops
  5. installing physical security upgrades at company facilities and offices to further safeguard workstations from theft
  6. reviewing and revising written policies and procedures to enhance information security

For Comparisons Sake

So, just for fun, here’s how this settlement stacks up against some other recent, high-profile data breach settlements:

  • Johansson-Dohrmann v. Cbr Sys., Inc., No. 12-CV-1115 (S.D. Cal. July 24, 2013) – established a $2.5 million fund to provide approximately 300,000 class members with two years of credit monitoring and identity theft reimbursement.
  • Beringer v. Certegy Check Services, Inc., No. 07­cv-01657 (M.D. Fla. Sept. 3, 2008) – established a $5 million fund to provide approximately 37 million class members with up to two years of credit monitoring and identity theft reimbursement.
  • In re Heartland Payment Sys. Inc. Customer Data Sec. Breach Litig., MDL No. 09-2046 (S.D. Tex. 2012) – established a $2.4 million fund from which to provide over 100 million class members with identity theft reimbursement.
  • Rowe v. Unicare Life and Health Ins. Co., No. 09-cv-02286 (N.D. Ill. Sept. 14, 2011) – established a $3 million fund to provide approximately 220,000 class members with one year of credit monitoring and identity theft reimbursement.

comScore: A Lesson in Unauthorized Use of Consumers’ Data

Last week, the Seventh Circuit upheld a lower court’s class certification in the case of Harris v. comScore, Inc.  Although issued without opinion, the Seventh Circuit’s refusal to reverse the District Court’s certification should signal to online marketing and analytics firms that there may be significant exposure related to consumer data collection.

Public Domain
Public Domain (“Big Data”)

The comScore class action suit was based on violations of the Stored Communications Act (“SCA” at 18 U.S.C. § 2701(a)(1), (2)), the Electronic Communications Privacy Act (“ECPA” at 18 U.S.C. § 2511(1)(a), (d)), the Computer Fraud and Abuse Act (“CFAA” at 18 U.S.C. § 1030(a)(2)(C)), and common law unjust enrichment.

The complaint alleged that comScore improperly obtained and used consumers’ personal information after they downloaded and installed comScore’s software.  The software at issue here is called OSSProxy.  Once installed on a computer, OSSProxy constantly collects data about the user’s computer activity and sends that data back to comScore’s servers.  Depending on how cognizant you are of data collection software and current practices, the following may or may not shock you:

“The OSSProxy software collects a variety of information about a consumer’s computer, including the names of every file on the computer, information entered into a web browser, including passwords and other confidential information, and the contents of PDF files.”

OSSProxy was installed on millions of computers between 2008 and 2011.  To accomplish this, comScore distributes its OSSProxy software through cooperation with third-party providers (appropriately referred to as “bundlers”) who distribute free digital products to consumers online.  Upon downloading the bundlers’ free software, the consumer is prompted to download OSSProxy.  The prompt includes a “Download Statement” and, at least in some cases, a link to comScore’s User License Agreement (ULA).   OSSProxy downloads and installs on a consumer’s computer only after the consumer checks “Accept.”  The bundler’s free digital product downloads and installs even if the consumer “Rejects” the OSSProxy terms, although that fact is confusingly unapparent to an average consumer.

A critical common question among putative class members was whether comScore exceeded the scope of the consent it received from consumers.  As reproduced in the District Court opinion, the Downloading Statement reads in relevant part as follows:

“In order to provide this free download, RelevantKnowledge software, provided by TMRG, Inc., a comScore, Inc. company, is included in this download. This software allows millions of participants in an online market research community to voice their opinions by allowing their online browsing and purchasing behavior to be monitored, collected, aggregated, and once anonymized, used to generate market reports which our clients use to understand Internet trends and patterns and other market research purposes. The information which is monitored and collected includes internet usage information, basic demographic information, certain hardware, software, computer configuration and application usage information about the computer on which you install RelevantKnowledge. We may use the information that we monitor, such as name and address, to better understand your household demographics; for example, we may combine the information that you provide us with additional information from consumer data brokers and other data sources in accordance with our privacy policy. We make commercially viable efforts to automatically filter confidential personally identifiable information and to purge our databases of such information about our panelists when inadvertently collected. By clicking Accept you acknowledge that you are 18 years of age or older, an authorized user of the computer on which you are installing this application, and that you have read, agreed to, and have obtained the consent of all computer and TV users to the terms and conditions of the Privacy Statement and User License Agreement.”

After quickly dismissing the unjust enrichment claim as inappropriate for class action treatment, the Court allowed the claims based on three federal statutes that provide protection against the unauthorized data collection from the plaintiffs’ computers. Each of the three statutes provides an exception to liability if the person obtaining the information has the consent of the computer user.

The plaintiffs alleged that comScore exceeded the scope of their consent to monitoring in the ULA (as incorporated via the Downloading Statement) by:

1)      “fuzzifying” or “obscuring” confidential information collected, rather than automatically filtering that information;

2)      failing to “make commercially viable efforts to purge” confidential information that it does collect from its database;

3)      intercepting phone numbers, social security numbers, user names, passwords, bank account numbers, credit card numbers, and other demographic information;

4)      intercepting the previous 25 websites accessed by a consumer before installation of comScore’s software, the names of every file on the consumer’s computer, the contents of iPod playlists on the computer, the web browsing history of smartphones synced with the computer, and portions of every PDF viewed by the user during web browsing sessions; and

5)      selling the data collected from the consumer’s computer.

Specifically, the Stored Communications Act (SCA) provides a private action against any person who intentionally accesses without authorization a facility through which an electronic communication service is provided or intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system. The Electronic Communications Privacy Act (ECPA) provides the same with respect to any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication, or intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication.  Finally, the CFAA creates a private right of action against any person who intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

The Court concluded that the class action requirements under Federal Rule of Civil Procedure 23(a) (i.e., numerosity, commonality, typicality, adequacy of representation, and ascertainability), as well as the requirements under Rule 23(b)(3) of predominance and superiority were all met.  Rule 23(b)(3) provides that a class action may be maintained only if “the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.”  As to this “predominance and superiority” requirement, the Court was not moved by comScore’s assertion that class certification should be precluded due to the issue of whether each individual plaintiff suffered damage or loss from comScore’s actions.  As the Court stated,

“That argument has no applicability to the ECPA or SCA claims, both of which provide for statutory damages. The CFAA is different, however, in that it grants a civil action only to “[a]ny person who suffers damage or loss.”  [Nevertheless], the Seventh Circuit has recently reiterated that individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.”

The lesson here for businesses is to make sure their terms of service, privacy policies, license agreements, website/mobile app terms of use, etc. accurately reflect their actual practices regarding collection and use of customers’ data.  As companies increasingly leverage “big data” (whether as direct marketing firms or indirectly through outsourced analytics providers), the adequacy of the notice and consent obtained from customers might just be the single most important factor in avoiding a costly, high-profile class action lawsuit.