In a precedent setting case, a Florida court has approved a settlement against Avmed for a data loss. The decision was handed down by the U.S. Court of Appeals for the 11th District of Florida.AvMed, a health insurer, had two laptop computers stolen in 2009 that contained the names and personal health information of as many as 1.2 million of its customers. The information on the laptops was not encrypted. Settlement documents filed in the U.S. District Court for the Southern District of Florida show payments will be offered to 460,000 individuals.
These are customers whose personal information was contained on the two stolen laptops and also paid insurance premiums to AvMed. The key factor in the case is that none of the consumers/plaintiffs suffered identity theft or any other direct losses. However, they blamed AvMed for breach of contract and fiduciary duty, negligence, and unjust enrichment.
Its highly unusual for courts to grant damages in data loss cases. The courts have often rejected suits based on the fact that, although information was lost, no direct harm came to the consumer. At least, none that could be proven and the court would not rule on future damages. This is the first case where the plaintiffs won without evidence of actual loss.
The U.S. District Court for the Southern District of Florida originally dismissed the case. The case was appealed and the plaintiffs won. AvMed's second attempt at a dismissal failed forcing the $3 million settlement. Other requirement of the settlement are;
- Mandatory security awareness and training programs for all company employees;
- Mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers;
- Upgrading all company laptop computers with additional security mechanisms, including GPS tracking technology;
- New password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices would be encrypted at rest;
- Physical security upgrades at company facilities and offices to further safeguard workstations from theft;
- Review and revision of written policies and procedures to enhance information security.
This ruling is a clear precedent for future data breach cases and could signal an attitude change in the courts as data breaches become more common. Courts, however, could be responding to the skyrocketing identity theft rates.
The Federal Trade Commission reported that the number one consumer complaint in 2013 was identity theft. American consumers reported losing over $1.6 billion to fraud in 2013.
As a result of this ruling there are sure to be many more data breach lawsuits. Although $3 million is not a huge sum of money in a settlement, few companies want to face a court with this precedent in place. The settlement sends the message that customers’ expect companies to protect their information and the courts are becoming more sympathetic.