Tag Archives: PII

The AvMed Data Breach Settlement: What’s it going to Cost?

$3,000,000, based on the recently proposed settlement agreement involving the 2009 AvMed data breach incident.

Compu2

Once finally approved, this settlement would resolve the claims asserted against AvMed and would provide monetary relief to all affected customers, including customers who were not actually victims of an identity theft.  The proposed settlement in this case goes well beyond the credit monitoring offer that typically results from data breach class action settlements.  According to the plaintiffs’ unopposed motion to approve the settlement:

“All told, the Settlement is a tremendous achievement for the Plaintiffs and proposed Settlement Classes, and provides landmark relief that will serve as a model for other companies who face similar lawsuits.”

The Facts

AvMed, Inc. is a Florida-based health insurance provider.  In December 2009, two laptop computers were stolen from AvMed’s conference room.  The laptops contained the unencrypted personally identifiable information (PII) of 1.2 million AvMed customers.  The unencrypted PII consisted of customers’ names, addresses, Social Security numbers, and medical health information.

The Allegations

According to the affected customers, AvMed’s failure to properly secure their PII (in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards) resulted in (1) the theft of some affected customers’ identities, and (2) with respect to all affected customers, the overpayment for insurance coverage.

The first claim (i.e., based on customers whose identities were stolen and suffered economic harm as a result) is fairly straight forward and uncontroversial.

The second claim (related to the overpayment of premiums of all affected customers) is a bit more novel.  This second claim is based on an unjust enrichment theory, which the Eleventh Circuit addressed prior to remanding this case back to the district court.  The Eleventh Circuit recognized the customers’ unjust enrichment claim stating that when AvMed charged customers, as part of premium payments, to fund the administrative costs of data security, then AvMed is unjustly enriched to the extent it subsequently fails to implement the data security measures.  This notion is premised on the fact that customers paid monthly premiums to AvMed, a portion of which was presumably allocated to the data security efforts that AvMed promised its customers.  And, of course, AvMed did not implement these promised data security efforts, but nevertheless retained the entirety of the customers’ premiums.  Accordingly, under this theory of unjust enrichment, the customers paid for undelivered services and thus are entitled to partial refunds of their premiums.

The Settlement

Under the terms of the settlement, AvMed agrees to create a $3M settlement fund. Customers who can show that they actually suffered identity theft as a result of the 2009 data breach can make claims to recover monetary losses associated with the identity theft.  Additionally, all affected customers (whether they suffered actual identity theft or not), will be entitled to claim $10 for each year that they paid premiums to AvMed, subject to a cap of $30.  The cash payments available to all affected customers provide reimbursement for the portion of their insurance premiums that AvMed should have allocated to data protection and security.

Additionally, under the settlement, AvMed is required to implement wide-ranging measures to ensure that its customers’ PII are protected, including:

  1. instituting mandatory security awareness and training programs for all company employees
  2. instituting mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers
  3. upgrading all company laptop computers with additional security mechanisms, including GPS tracking technology
  4. adopting new password protocols and full disk encryption technology on all company desktops and laptops
  5. installing physical security upgrades at company facilities and offices to further safeguard workstations from theft
  6. reviewing and revising written policies and procedures to enhance information security

For Comparisons Sake

So, just for fun, here’s how this settlement stacks up against some other recent, high-profile data breach settlements:

  • Johansson-Dohrmann v. Cbr Sys., Inc., No. 12-CV-1115 (S.D. Cal. July 24, 2013) – established a $2.5 million fund to provide approximately 300,000 class members with two years of credit monitoring and identity theft reimbursement.
  • Beringer v. Certegy Check Services, Inc., No. 07­cv-01657 (M.D. Fla. Sept. 3, 2008) – established a $5 million fund to provide approximately 37 million class members with up to two years of credit monitoring and identity theft reimbursement.
  • In re Heartland Payment Sys. Inc. Customer Data Sec. Breach Litig., MDL No. 09-2046 (S.D. Tex. 2012) – established a $2.4 million fund from which to provide over 100 million class members with identity theft reimbursement.
  • Rowe v. Unicare Life and Health Ins. Co., No. 09-cv-02286 (N.D. Ill. Sept. 14, 2011) – established a $3 million fund to provide approximately 220,000 class members with one year of credit monitoring and identity theft reimbursement.

The Nordstrom Case: What’s in an Email Address?

Personal Identification Information (PII), according to the US District Court (Eastern Dist. of California) applying California’s Song–Beverly Credit Card Act of 1974 (“Credit Card Act”) (Cal. Civ.Code §§ 1747 et seq).  In the class action case Capp v. Nordstrom, a customer alleged that Nordstrom requested his email address in connection with a credit card transaction at a Nordstrom retail store for the purpose of sending him an e-receipt.  The customer further alleged that Nordstrom then used his email address to send him unsolicited marketing materials in violation of the Credit Card Act.  The issue, among others, the court was faced with was whether an email address is PII under the Credit Card Act.

Attribution: Vrysxy
Attribution: Vrysxy

The Facts

According to the customer, a Nordstrom cashier asked him to provide his email address to receive an electronic receipt.  Believing it was required to complete the transaction, the customer provided his email address to the cashier.  The cashier then typed the customer’s email address into the portable sales device, at which point in the transaction the customer’s credit card number and email address were recorded in the same portable device.  As expected, the customer later received an email with his receipt; however, according to the customer, he also received marketing and promotional materials from Nordstrom “on a nearly daily basis.”

The Credit Card Act

Under the Song-Beverly Credit Card Act, a company that accepts credit cards for business transactions cannot “request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person … or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”  As to the definition of PII, the statute states that PII means “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”

The Credit Card Act imposes civil penalties for violations “not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation.”

The Decision

The statutory definition of PII makes no mention of email addresses. The district court noted that there is no published case deciding the question of whether an email address constitutes PII under the Credit Card Act.  Accordingly, without a controlling California Supreme Court decision on point, the district court was tasked with predicting how the California Supreme Court might decide the issue.

To do so, the district court pointed to a recent California Supreme Court case Pineda v. Williams–Sonoma Stores, Inc. (2011).  In Pineda, the California Supreme Court interpreted the words “personal identification information” to include a cardholder’s ZIP code.  The California Supreme Court’s analysis focused on the notion that a cardholder’s ZIP code can be used, together with the cardholder’s name, to locate his or her full address; and, importantly, a cardholder’s address and her ZIP code both constitute information unnecessary to the sales transaction that can be used for commercial purposes.  As the district court put it:

“In this case, an email address is within the scope of the statute’s broad terms concerning the cardholder as well because a cardholder’s email address pertains to or regards to a cardholder in a more specific and personal way than does a ZIP code.  Instead of referring to the general area in which a cardholder lives or works, a cardholder’s email address permits direct contact and implicates the privacy interests of a cardholder. Therefore, this Court predicts that the California Supreme Court would decide that an email address constitutes personal identification information as those terms are defined by section 1747.08(b) of the Credit Card Act.”

Nordstrom also argued that the Credit Card Act claim would be necessarily preempted by the CAN-SPAM Act if email addresses were determined to be PII.  The district court rejected this argument and held that the customer’s claims were not subject to CAN-SPAM’s preemption because the Credit Card Act applies only to email addresses and does not regulate the content or transmission of the underlying messages.

Imminent Expansion of the Security Breach Notification Law

Back in 2003, California became the first state in the U.S. to pass a security breach notification law. California’s Security Breach Notification Law applies to any business that conducts business in California, which of course means that the law reaches nearly all companies that have an e-commerce presence.  In a nut shell, the statute requires businesses to notify California residents when the security of such residents’ personal information has been breached.  The rationale behind the law is that breach notification ensures that residents become aware of a breach, thereby allowing them to take actions to mitigate potential financial losses due to fraudulent use of their personal information.

Attribution: Tom Murphy
Attribution: Tom Murphy

Fast forward ten years.  California Attorney General’s specialized eCrime Unit found that increasingly “criminals are targeting Internet Web sites with inadequate security, including some social media Internet Web sites, to harvest email addresses, user names, and passwords,” and “[b]ecause most people do not use unique passwords for each of their accounts, acquiring the information on one account can give a thief access to [many different] accounts.”

And so, on September 10, the California legislature passed and sent to the Governor’s desk a bill that would amend California’s security breach notification law in a significant way.  This is the second bill in as many weeks to reach the Governor’s desk addressing consumer privacy.  Last week it was AB-370, which I discussed here.  This week, it is California Senate Bill 46 (SB-46), which would expand the definition of “personal information” subject to California’s existing security breach disclosure requirements to include “a user name or email address, in combination with a password or security question and answer that permits access to an online account.”  This could have a significant impact, given that notification requirements following a security breach incident depend upon whether the compromised data falls within the definition of “personal information”.

Overview of California’s Security Breach Notification Law

California’s Security Breach Notification Law (Section 1798.82 of the California Civil Code) requires businesses that own or license computerized data consisting of personal information to disclose any breach of the security of the system following discovery of such breach to any resident of California whose unencrypted personal information was believed to be acquired by an unauthorized person.  The triggering event is a “breach of the security of the system”, which means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business.  Likewise, 1798.82 requires businesses that maintain (but do not own or license) computerized data consisting of personal information to notify the owner or licensee of the information of any associated security breach immediately following the discovery of such breach.

Where a data breach occurs and a business is required to issue a notification, the law requires that the notification be written in plain language, and include (1) the name and contact information of the business, (2) the types of personal information that were believed to have been the subject of a breach, (3) the estimated date, or date range, of the breach, (4) the date of the notice, (5) whether the notification was delayed as a result of a law enforcement investigation, (6) a general description of the breach incident, (7) the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license number.  Additionally, at the discretion of the business, the notification may also include information about what the business has done to protect individuals whose information has been breached and advice on steps the individual may take to protect him/herself.

Up until what appears to be the imminent passage of SB-46, the definition of “personal information” meant an individual’s first name or first initial and last name in combination with that individual’s (1) social security number, (2) driver’s license or California ID number, (3) account number, in combination with any required security code, PIN, or password that would permit access to that individual’s financial account, (4) medical information, or (5) health insurance information, when either the name or any of the data elements (1)-(5) are not encrypted.

How SB-46 Amends Section 1798.82

SB-46, if signed by Gov. Jerry Brown, would amend 1798.82 in three notable ways.  First, and probably most significantly, SB-46 would broaden the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”  Unlike the existing data elements (e.g., social security number, medical information, etc.), this new category of personal information does not need to be in combination with the individual’s name to be deemed personal information.

Second, and perhaps in an effort to mitigate the impact that will surely be felt by companies, the bill would provide a streamlined notification process for breaches concerning the new online account information category of personal information.  The streamlined notification process would allow the business to comply with notification requirements by providing the security breach notification in “electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.”

Third, the bill would create a variation on the streamlined notification process for breaches concerning login credentials of an email account that is furnished by the business.   For these businesses (i.e., email service providers) the business must provide notice by the traditional method required under the current notification requirements (i.e., non-streamlined) or “by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the business knows the resident customarily accesses the account.”

Certainly, with the occurrence of data breaches on the rise, and while usernames/email addresses and passwords are commonly collected by companies with an eCommerce or social network presence, the additional category of personal information introduced by SB-46 will have a compounding effect on companies’ notification obligations.  Companies, going forward, would be wise to put together a strategy to treat usernames/emails in combination with passwords (or security questions/answers) just as they would a person’s name in combination of a social security number under their existing information security policies.