Court approves first-of-its-kind data breach settlement

AvMed agrees to set aside $3 million for breach victims, whether they suffered direct harm or not

Courts have generally tended to dismiss consumer class-action lawsuits filed against companies that suffer data breaches if victims can't show that the the breach directly caused a financial hit.

A federal court in Florida broke the mold by approving a $3 million settlement for victims of a data breach in which personal health information was exposed when multiple laptops containing the unencrypted data were stolen.

The Dec. 2009 theft of laptops belonging to AvMed, a Florida-based health insurer, exposed the patient records of tens of thousands of its customers. Several victimes later filed a putative class action lawsuit against AvMed.

The plaintiffs suffered no direct losses or identity theft from the breach but nevertheless accused AvMed of negligence, breach of contract, breach of fiduciary duty and unjust enrichment

The U.S. District Court for the Southern District of Florida, which heard the case, dismissed the claims against AvMed two separate times.

However, upon appeal by the plaintiffs, the U.S. Court of Appeals for the Eleventh Circuit allowed several of the claims, including those pertaining to negligence and breach of contract, to remain, and remanded the case back to the district court.

When AvMed again filed a motion to dismiss the class action claims yet again, the district court refused to do so, prompting the health insurer and the plaintiffs to enter into settlement talks.

Under the agreement, $30 of each breach victim's insurance premiums over the past three years will be reimbursed. The plaintiffs contended that AvMed should have been spending $30 per users to bolster its data security controls.

Under the agreement, AvMed has also agreed to pay actual damages to anyone whose identity was stolen as a result of the breach.

In addition the company agreed to implement new password protocols and install disk encryption and GPS tracking tools on its laptops.

The district court handling the case, approved the settlement on Feb. 28, but only a handful of law blogs have so far reported on it.

The settlement is believed to be the first in which victims of a data breach are compensated without having to show they suffered any losses from the theft of their personal data.

Numerous courts around the country have long refused to entertain similar claims, maintaining that consumers can't claim damages from a data breach unless they can prove they suffered losses. Courts have noted that consumers cannot make damage claims based on the chance that they could become identity theft victims sometime in the future.

"I believe this is one of the first cases settling under an unjust enrichment theory," said Steve Larson a data breach attorney with law firm Stoll Berne. "The injured parties are saying, 'I paid premiums and as part of what I paid you, I expected you to keep my data secure.'"

The ruling could serve as a blueprint for other courts, Larson said.

"I have heard lawyers advocating this theory, but this is the first case where I have seen a settlement so directly tied that way," he said. "There will now be precedent to support a claim by plaintiffs that a portion of their health insurance premiums or their payment for medical care should have been used to improve data security."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecuritygovernmentGovernment/Industries

More about Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts