A federal judge in Florida granted final approval of a $3 million settlement in a data breach class action with AvMed, Inc., an integrated managed care organization.  The settlement agreement is unique in that it allows affected plaintiffs to recover even if exposure of their data did not result in identity theft.

The data breach resulted from the theft of two laptops from AvMed’s Florida facility in December 2009. Although they recovered one laptop, the laptop at large contained unencrypted information, including the names, addresses, dates of birth, Social Security numbers, and personal health information of customers and former customers. AvMed initially divulged that the security breach compromised the personal information of 208,000 people in February 2010, before twice revising that number to eventually conclude that it affected 1.2 million.  They notified those affected, and offered two years of credit monitoring.

The plaintiffs who did not suffer from identity theft rode into this settlement on the coattails of those that did.  The district court originally dismissed plaintiffs’ claim because they failed to satisfy the pleading standard under Twombly by not alleging actual identity theft.  Plaintiffs then dropped those whose personal information was merely exposed, and added a named plaintiff whose identity was stolen, amending their complaint accordingly.  The district court again granted AvMed’s motion to dismiss for failure to state a cognizable injury.

The Eleventh Circuit Court of Appeals reversed in part, and remanded the action to the district court. It determined that the plaintiffs who suffered identity theft had Article III standing.  Their economic injuries constituted a cognizable injury as a matter of law.  Further, it was “fairly traceable” to the breach in AvMed’s data security, and a monetary award of compensatory damages would redress plaintiffs’ grievances.  The Eleventh Circuit also found that plaintiffs met the pleading standards under Twombly, rebuffing AvMed’s argument that they failed to allege a cognizable injury because they plead losses without noting that they were unreimbursed.

Mediation that followed led to the settlement recently approved by the district court. It remains to be seen how much of the $3 million settlement will go to each of the 1.2 million customers affected by the breach, considering the various guaranteed costs from this amount.  From this settlement, the plaintiffs’ attorneys netted $750,000.  The two named plaintiffs win $5,000 each for their perseverance, in addition to whatever else they receive under the settlement.  Costs related to settlement notices and administrative fees are also deducted from the award.  The remaining funds will be provided to the identity theft victims in the amount of their unreimbursed losses, and to customers whose data was exposed in the amount of $10 per year—up to $30.  Two hundred and fifty thousand dollars is set aside exclusively for the identity theft victims.  If the claims exceed the remaining amount, then the amount paid to each plaintiff will be reduced pro rata.  Additionally, AvMed agreed to implement security measures and training.

Although this case is unique in that plaintiffs will recover some amount of money despite not suffering from identity theft, this is a settlement and not a ruling.  There is no indication of how this settlement will affect future data breach plaintiffs, if at all.  These types of plaintiffs will still need to establish standing by demonstrating that they suffered a cognizable injury that is fairly traceable to the defendant’s actions, and that can be redressed by a favorable court action.  Whether this settlement will encourage courts to allow data breach plaintiffs to overcome some of their largest hurdles, or encourage similar payouts remains to be seen.

The action is Resnick et al. v. AvMed Inc., Case Number 1:10-cv-24513, in the U.S. District Court for the Southern District of Florida.