Once finally approved, this settlement would resolve the claims asserted against AvMed and would provide monetary relief to all affected customers, including customers who were not actually victims of an identity theft. The proposed settlement in this case goes well beyond the credit monitoring offer that typically results from data breach class action settlements. According to the plaintiffs’ unopposed motion to approve the settlement:
“All told, the Settlement is a tremendous achievement for the Plaintiffs and proposed Settlement Classes, and provides landmark relief that will serve as a model for other companies who face similar lawsuits.”
AvMed, Inc. is a Florida-based health insurance provider. In December 2009, two laptop computers were stolen from AvMed’s conference room. The laptops contained the unencrypted personally identifiable information (PII) of 1.2 million AvMed customers. The unencrypted PII consisted of customers’ names, addresses, Social Security numbers, and medical health information.
According to the affected customers, AvMed’s failure to properly secure their PII (in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards) resulted in (1) the theft of some affected customers’ identities, and (2) with respect to all affected customers, the overpayment for insurance coverage.
The first claim (i.e., based on customers whose identities were stolen and suffered economic harm as a result) is fairly straight forward and uncontroversial.
The second claim (related to the overpayment of premiums of all affected customers) is a bit more novel. This second claim is based on an unjust enrichment theory, which the Eleventh Circuit addressed prior to remanding this case back to the district court. The Eleventh Circuit recognized the customers’ unjust enrichment claim stating that when AvMed charged customers, as part of premium payments, to fund the administrative costs of data security, then AvMed is unjustly enriched to the extent it subsequently fails to implement the data security measures. This notion is premised on the fact that customers paid monthly premiums to AvMed, a portion of which was presumably allocated to the data security efforts that AvMed promised its customers. And, of course, AvMed did not implement these promised data security efforts, but nevertheless retained the entirety of the customers’ premiums. Accordingly, under this theory of unjust enrichment, the customers paid for undelivered services and thus are entitled to partial refunds of their premiums.
Under the terms of the settlement, AvMed agrees to create a $3M settlement fund. Customers who can show that they actually suffered identity theft as a result of the 2009 data breach can make claims to recover monetary losses associated with the identity theft. Additionally, all affected customers (whether they suffered actual identity theft or not), will be entitled to claim $10 for each year that they paid premiums to AvMed, subject to a cap of $30. The cash payments available to all affected customers provide reimbursement for the portion of their insurance premiums that AvMed should have allocated to data protection and security.
Additionally, under the settlement, AvMed is required to implement wide-ranging measures to ensure that its customers’ PII are protected, including:
- instituting mandatory security awareness and training programs for all company employees
- instituting mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers
- upgrading all company laptop computers with additional security mechanisms, including GPS tracking technology
- adopting new password protocols and full disk encryption technology on all company desktops and laptops
- installing physical security upgrades at company facilities and offices to further safeguard workstations from theft
- reviewing and revising written policies and procedures to enhance information security
For Comparisons Sake
So, just for fun, here’s how this settlement stacks up against some other recent, high-profile data breach settlements:
- Johansson-Dohrmann v. Cbr Sys., Inc., No. 12-CV-1115 (S.D. Cal. July 24, 2013) – established a $2.5 million fund to provide approximately 300,000 class members with two years of credit monitoring and identity theft reimbursement.
- Beringer v. Certegy Check Services, Inc., No. 07cv-01657 (M.D. Fla. Sept. 3, 2008) – established a $5 million fund to provide approximately 37 million class members with up to two years of credit monitoring and identity theft reimbursement.
- In re Heartland Payment Sys. Inc. Customer Data Sec. Breach Litig., MDL No. 09-2046 (S.D. Tex. 2012) – established a $2.4 million fund from which to provide over 100 million class members with identity theft reimbursement.
- Rowe v. Unicare Life and Health Ins. Co., No. 09-cv-02286 (N.D. Ill. Sept. 14, 2011) – established a $3 million fund to provide approximately 220,000 class members with one year of credit monitoring and identity theft reimbursement.