Courts have generally tended to dismiss consumer class-action lawsuits filed against companies that suffer data breaches if victims can't show that the the breach directly caused a financial hit.
A federal court in Florida broke the mold by approving a $3 million settlement for victims of a data breach in which personal health information was exposed when multiple laptops containing the unencrypted data were stolen.
[ Also on InfoWorld: Big fines for big breaches: The only way to stop shoddy security. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The Dec. 2009 theft of laptops belonging to AvMed, a Florida-based health insurer, exposed the patient records of tens of thousands of its customers. Several victimes later filed a putative class action lawsuit against AvMed.
The plaintiffs suffered no direct losses or identity theft from the breach but nevertheless accused AvMed of negligence, breach of contract, breach of fiduciary duty and unjust enrichment
The U.S. District Court for the Southern District of Florida, which heard the case, dismissed the claims against AvMed two separate times.
However, upon appeal by the plaintiffs, the U.S. Court of Appeals for the Eleventh Circuit allowed several of the claims, including those pertaining to negligence and breach of contract, to remain, and remanded the case back to the district court.
When AvMed again filed a motion to dismiss the class action claims yet again, the district court refused to do so, prompting the health insurer and the plaintiffs to enter into settlement talks.
Under the agreement, $30 of each breach victim's insurance premiums over the past three years will be reimbursed. The plaintiffs contended that AvMed should have been spending $30 per users to bolster its data security controls.
Under the agreement, AvMed has also agreed to pay actual damages to anyone whose identity was stolen as a result of the breach.
In addition the company agreed to implement new password protocols and install disk encryption and GPS tracking tools on its laptops.
The district court handling the case, approved the settlement on Feb. 28, but only a handful of law blogs have so far reported on it.
The settlement is believed to be the first in which victims of a data breach are compensated without having to show they suffered any losses from the theft of their personal data.
Numerous courts around the country have long refused to entertain similar claims, maintaining that consumers can't claim damages from a data breach unless they can prove they suffered losses. Courts have noted that consumers cannot make damage claims based on the chance that they could become identity theft victims sometime in the future.
"I believe this is one of the first cases settling under an unjust enrichment theory," said Steve Larson a data breach attorney with law firm Stoll Berne. "The injured parties are saying, 'I paid premiums and as part of what I paid you, I expected you to keep my data secure.'"
The ruling could serve as a blueprint for other courts, Larson said.
"I have heard lawyers advocating this theory, but this is the first case where I have seen a settlement so directly tied that way," he said. "There will now be precedent to support a claim by plaintiffs that a portion of their health insurance premiums or their payment for medical care should have been used to improve data security."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.