A Florida federal judge recently approved a landmark $3-million data breach class action settlement with health insurance provider AvMed, Inc. The settlement permits customers who suffered no monetary losses due to identity theft to claim part of the settlement. The settlement is reportedly the first of its kind to award money to plaintiffs who suffered no ascertainable damages.

The settlement related to the December 2009 theft of two AvMed laptop computers that contained the personal information of 1.2 million customers. Plaintiffs filed a complaint alleging negligence, breach of contract and implied contract, and unjust enrichment claims (among others) for AvMed’s failure to properly protect its customers' data. The district court twice dismissed plaintiffs’ complaint for lack of standing, but the majority of plaintiffs’ claims were reinstated by the 11th Circuit, which held that plaintiffs had sufficiently established standing and pled injury. The plaintiffs had sought to certify both all AvMed customers whose personal information was stolen and all AvMed customers whose personal information was stolen and who became victims of identity theft. The 11th Circuit found that plaintiffs had established a plausible connection between the data breach and instances of identity theft suffered by some of the plaintiffs.

The more interesting holding, however, was that even those plaintiffs who had not been victims of identity theft had sufficiently pled injury. Namely, by claiming that AvMed was unjustly enriched since they paid more in insurance premiums to AvMed in exchange for AvMed taking sufficient measures to protect their data. The 11th Circuit allowed this claim to proceed.  Rather than continue to litigate, AvMed agreed to settle by paying all current and former AvMed customers whose sensitive personal information was contained on the stolen computers $10 for every year they were an AvMed customer, subject to a maximum of $30. These payments relate to plaintiffs’ claims that AvMed should have been spending additional funds on data security during that time period. AvMed further agreed to reimburse all current and former AvMed customers whose personal information was contained on the stolen laptops and who suffered identify theft for the amount of any proven actual monetary loss that is claimed and is shown by the claimant to have more likely than not occurred as a result of the breach. AvMed has not admitted fault, but has agreed to implement a number of security improvements, including:

  1. Mandatory security awareness and training programs for all company employees;
  2. Mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers;
  3. Upgrading all company laptop computers with additional security mechanisms, including GPS tracking technology;
  4. New password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices would be encrypted at rest;
  5. Physical security upgrades at company facilities and offices to further safeguard workstations from theft; and
  6. The review and revision of written policies and procedures to enhance information security. The court also approved the agreed-upon fee award to class counsel in the amount of $750,000 and an incentive award of $5,000 each to the class representatives.

TIP: Companies should be aware that in the wake of data breaches, plaintiffs’ settlement demands may include compensation for customers who suffered no actual losses related to the breach.