That headline does not refer to March Madness. I am speaking instead about a data breach case from a Florida federal case that may change the time honored playground rule.

The Florida case involved a health insurer called AvMed. In December 2009, thieves stole several AvMed laptops. Those laptops contained unencrypted data which included patient records from thousands of customers.

Some of the victims filed a lawsuit seeking class action certification and ran into a problem that plaintiffs in similar suits have encountered. Even though the theft caused anxiety about identity theft, none of the plaintiffs could point to any actual instances of identity theft. The trial court accordingly dismissed the case. Faithful readers of this newsletter may recall a recent edition which discussed a lawsuit against Nationwide Insurance which was dismissed for this very reason.

But the Florida plaintiffs appealed and ultimately got the case sent back to the trial court. On remand, the trial court denied the motion to dismiss, and allowed the case to proceed. The argument that saved the case? The plaintiffs contended that AvMed was “unjustly enriched.” According to this theory, part of the customers’ premiums was intended to cover the cost of data protection. Given the breach, presumably, AvMed didn’t spend appropriate sums to protect the data. Therefore, it got “money for nothing” to quote the old Dire Straits song.

The winning theory may sound like a stretch, but it prompted to AvMed to settle for $3 million. The question now is whether this case is an outlier or a trend. I suspect my friends who handle class action litigation are rooting for the latter as hard as they cheer on their favorite college hoop teams this time of year.