Data-breach class action suits may have just gained significant traction. On Feb. 28, 2014, the U.S. District Court for the Southern District of Florida approved a first of its kind class action data breach settlement that will pay plaintiffs regardless of whether they were damaged by the breach.
In December 2009, multiple laptops containing unencrypted patient records were stolen from Florida-based health insurer AvMed. Subsequently, several AvMed insured customers whose personal health information was exposed filed a putative class action. The recent court-approved settlement will pay plaintiffs based not on any direct losses or identity theft resulting from the theft, but rather on the premiums they paid to the insurer. AvMed also agreed to pay actual damages for identity theft suffered due to the breach and to increase and improve its internal encryption and security protocols. But the real news here is that this settlement does not require even an allegation of actual harm before plaintiffs can recover monetary damages based on a data breach.
While this settlement may serve as a model for future data-breach class actions, a key factor in this case is that plaintiffs had an ongoing relationship with, and paid insurance premiums to AvMed. Indeed, plaintiffs’ unjust enrichment argument was premised on the idea that their premiums were, in part, paying for data security. In the absence of such a relationship—specifically where a person pays for some future potential need—this case should be distinguishable. Regardless, this settlement serves as a reminder that a lapse in security has the potential to create huge exposure, whether it causes actual harm or not.