This post was also written by Frederick Lah.
Earlier this week, a data breach class action brought against health insurance provider AvMed, Inc. came one step closer to resolution when plaintiffs filed their unopposed motion for preliminary approval of the class action settlement. The parties filed a joint notice of settlement back in September, but details were not provided until now.
Plaintiffs in this case alleged that in December 2009, two unencrypted laptops containing personal information from 1.2 million customers – information including their names, addresses, Social Security numbers, and medical health information – was stolen from a conference room. After three years of litigation, which included an appeal before the 11th Circuit and multiple mediation attempts, the parties have agreed to a compromise to resolve the class action. Under the terms of the proposed settlement, AvMed agreed to create a settlement fund for $3 million from which members can make claims for $10 for each year that they bought insurance (subject to a cap of $30). Class members who have experienced identity theft are eligible to make additional claims to recover their losses. In addition, AvMed agreed to implement increased security measures, for example, mandatory security awareness and training, and installing encryption and other security protocol on their laptops.
While class action settlements are contractual in nature and only binding upon the parties that enter into them, they may still serve to influence negotiations between other similarly situated parties, as well as upon the courts reviewing the settlement’s overall fairness and reasonableness. Settlements for data breach class actions have traditionally not extended payments to class members who have not experienced any fraud or identity theft. Here, though, that is exactly what the sides agreed to, whereby payments will be made to all class members who purchased insurance, even absent any fraud or identity theft. Plaintiffs in data breach and theft cases have long sought (without success) to advance the idea that the value of the underlying good or service involved is somehow degraded by the security incident.