Anthem's $115M settlement likely to inspire future breach litigation
Advisen
Anthem's $115M settlement likely to inspire future breach litigation
By Erin Ayers, Advisen
The announcement of a $115 million settlement by Anthem Inc. over the health insurer’s massive January 2015 data breach suggests that class-action litigation over breaches will likely continue despite failures and relatively low settlements in other cases.
The $115 million agreement, if approved by the court, would be a record settlement and involves no admission of wrongdoing by Anthem, which commented in a statement, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”
Roberta Anderson, director of Cohen & Grigsby’s cyber practice, said the settlement "is no doubt likely to incentivize class action plaintiffs’ attorneys to pursue increasingly high settlement amounts in the context of data breaches.”
While other breach cases have outright failed in proving standing (as in the case of Barnes & Noble’s data breach) and others have settled for relatively low sums, such as Target’s recent $18.5 million settlement over its 2013 breach with state attorneys general and a $10 million settlement with consumers, experts advise awareness of the full impact of settlements on the organizations involved.
"Although the case law is not uniform, and is largely in its infancy, plaintiffs often cannot demonstrate harm sufficient to establish Article III standing because fraudulent changes resulting from compromised account information are reversed by card issuing banks, and only a small percentage of people are actually victimized by identity theft," Anderson told Advisen via email. "Although plaintiffs have gained some traction on the standing issues more recently, as reflected in connection with the Michael’s and Adobe breaches, even if plaintiffs get past a motion to dismiss for lack of standing, there remain lots of procedural and substantive hurdles to jump."
The lower settlement amounts, according to Anderson, reflect the continued issue that many plaintiffs have in proving Article III standing in data breach cases, but even lawsuits that don’t succeed have an impact.
“It is important for organizations to remember that even where data breach cases settle for relatively low amounts, these cases are costly to defend,” she said, noting that the cyber insurance market for breach coverage “has evolved markedly over the last 10 years, and the better products, at least after careful review and negotiation, offer solid protection against data breach-related liability.”
In ending the multi-state action, Anthem also communicated a commitment to strong cybersecurity practices, noting, “As we have seen in cyberattacks against governments and private sector companies including Anthem over the past few years, many cyber threat actors are increasingly sophisticated and determined adversaries. Anthem is determined to do its part to prevent future attacks. To that end, as part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyberattack, and we have agreed to implement additional protections over the next three years.”
Todd Rowe, partner with Tressler LLP, wrote on his blogPrivacy Risk Report, “There should be little question that data breach litigation will continue to present unique issues for courts. However, we are also starting to see a trend showing settlements in data breach litigation may present novel issues. For example, the documents publicly available related to the settlement of the Anthem breach shows plaintiffs, in addition to money, may be looking for a commitment from the breaching party to repair the damaged caused by a breach.”
