This post was also written by Frederick Lah.
Last week, a judge for the Southern District of Florida gave final approval to a settlement between health insurance provider AvMed and plaintiffs in a class action stemming from a 2009 data breach of 1.2 million sensitive records from unencrypted laptops. The settlement requires AvMed to implement increased security measures, such as mandatory security awareness training and encryption protocols on company laptops. More notably, AvMed agreed to create a $3 million settlement fund from which members can make claims for $10 for each year that they bought insurance, subject to a $30 cap (class members who experienced identity theft are eligible to make additional claims to recover their monetary losses). According to Plaintiffs’ Unopposed Motion and Memorandum in Support of Preliminary Approval of Class Action Settlement (“Motion”), this payment to class members “represents reimbursements for data security that they paid for but allegedly did not receive. The true measure of this recovery comes from comparing the actual, per-member cost of providing the missing security measures—e.g., what AvMed would have paid to provide encryption and password protection to laptop computers containing Personal Sensitive Information, and to otherwise comply with HIPAA’s security regulations—against what Class members stand to receive through the Settlement” (p. 16). It’s been reported that this settlement marks the first time that a data breach class action settlement will offer monetary reimbursement to class members who did not experience identity theft. In defending the fairness, reasonableness, and adequacy of the settlement, plaintiffs noted in the Motion, “[b]y making cash payments available to members of both Classes—i.e., up to $30 to members of the Premium Overpayment Settlement Class, and identity theft reimbursements to members of the Identity Theft Settlement Class members—the instant Settlement exceeds the benefits conferred by other data breach settlements that have received final approval from federal district courts throughout the country” (p. 16).
The finalization of this settlement marks the end of a hard fought battle between the parties. After AvMed obtained a dismissal with prejudice in the District Court based on plaintiffs’ failure to allege a cognizable injury, the dismissal was appealed to the Eleventh Circuit. Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012). There, the Eleventh Circuit found that plaintiffs had established a plausible causal connection between the 2009 data breach and their instances of identity theft. The court also determined that plaintiffs’ allegations —that part of the insurance premiums plaintiffs paid to defendant were supposed to fund the cost of data security, and that defendant’s failure to implement that security barred it from retaining the full amounts received—were sufficient to state a claim for unjust enrichment. On remand, AvMed answered plaintiffs’ complaint and filed a motion to strike class allegations, which was denied by the District Court as premature.
We’ve been particularly interested in this case for quite some time. Last year, we blogged about the unique nature of the settlement after the agreement was reached. Class action plaintiffs’ lawyers in the data breach context have often had their cases dismissed on the basis that they are unable to prove the class suffered any sort of injury or loss. With the AvMed settlement now final, we expect plaintiffs’ lawyers to try to leverage similar payment terms into their own data breach class action settlements. As we previously noted, class action settlements are only binding upon the parties that enter into them, but their terms can serve as models for future proposed settlements.