Data Breach Suit Verdicts Impact Third-Party

Liability Coverage

Two recent class action lawsuits herald a shift in how courts view data breach events and the harm they cause. The rulings make it easier for plaintiffs to pursue data breach or class action lawsuits and to recover damages for identity theft and fraud – even when they’ve experienced no actual monetary harm.

The AvMed Settlement

AvMed Inc., a Florida health insurance company, was the target of a class action lawsuit as a result of a data breach in 2009. In this case, two laptops were stolen that held unencrypted personal and health data of more than 1 million AvMed members and their dependents.

The recent settlement, to the tune of $3 million, is noteworthy because it provides financial redress for people who didn’t actually experience identity theft. The ruling cited negligence, breach of contract and “breach of fiduciary duty” as just some of the reasons the court felt AvMed failed to properly secure data that had been entrusted to them. In addition, those people who did, in fact, become identity theft victims as a result of the AvMed breach may submit claims for reimbursement for any monetary losses they incurred.

This ruling breaks new ground. Decisions handed down in previous cases largely have centered on demonstrable harm or damages breach victims have experienced. The AvMed settlement diverges from that pattern.

Moreover, the ruling highlights the variances between state and federal law (and even state-by-state law) regarding the exposure of personal health information. Federal Health Insurance Portability and Accountability Act (HIPAA) legislation doesn’t include a mechanism for individuals to pursue lawsuits as a result of a data breach, but a state’s law might.

Spokeo’s FCRA suit

A final ruling hasn’t been handed down yet, but a federal appellate court recently allowed another data privacy case to move forward. An individual is suing Spokeo Inc. for violations of the Fair Credit Reporting Act (FCRA). The lawsuit contends Spokeo published inaccurate information about the plaintiff, and the Ninth U.S. Circuit Court of Appeals found that Spokeo’s potential violations of the FCRA were enough to allow the case to continue.

Although he suffered no actual harm, the plaintiff says the incorrect information published by Spokeo hurt his employment prospects and caused anxiety. As with the AvMed case, the Spokeo lawsuit ushers in the prospect of plaintiffs who have no demonstrable financial damages to support their case.

Businesses Must Keep Pace

Companies that collect and store personal information – whether financial data, health records, names and email addresses – should take notice. The information privacy environment is changing, and privacy policies and actions need to keep pace. There is an increasing expectation from consumers and courts that personal data be appropriately protected. Lackluster safeguards or doing the bare minimum simply to meet compliance mandates probably isn’t enough anymore.

In addition to the enormous reputational damage that may follow a data breach event (think of Target’s ongoing woes), the costs to respond to an exposure can add up quickly. From providing credit or fraud monitoring services to dealing with regulatory fines and penalties, companies that experience a breach often find themselves facing stiff financial burdens. Add in the potential for individuals who haven’t suffered monetary damages to successfully litigate for financial redress, and the costs can be devastating.

Small and midsized businesses (SMBs) – those that are typically more likely to rely on outside vendors for much of their technology and data storage needs – aren’t off the hook. The expectation that firms do the right thing when it comes to information security applies no matter how the services are provided. Vendor due diligence is more crucial than ever.

Takeaways for Insurers

Carriers must evaluate their practices. The AvMed and Spokeo cases signal a change toward a legal landscape that’s more permissive when it comes to plaintiffs seeking damages where no financial harm has occurred.

The prevalence of breaches making headlines hasn’t diminished, and it is likely cases similar to these will be filed in the future. With the precedents set, will future suits be dismissed under the 12(b)(6) motion – the failure to state a claim upon which relief can be granted – as many were in the past? Perhaps not.

The Spokeo case carries significant implications. Violations of statutory rights may now contribute to the grant of standing in lawsuits where the plaintiff didn’t sustain actual damages.

Other attorneys may look to this case in situations where a state’s breach notification laws have been violated.

How these recent examples will impact third-party liability coverage remains to be seen, but insurance carriers, agents and brokers must keep them in mind.

Making Data Privacy a Priority

The time to institute comprehensive information security is now. Proactive protection is a far better solution than responding to litigation or paying out settlements after a breach.

Unencrypted data is ripe for exposure. Encryption tools are often inexpensive and sometimes free, making the barrier to entry extremely low.

Knowing what data is being collected, stored and shared – and with whom – is paramount. Which compliance mandates might cover that data? What are the requirements to properly safeguard it from exposure? Claiming ignorance is not a defense, nor are terms of service that don’t address the real issues.

Language in third-party liability policies may need to be broadened to provide better protection to policyholders and carriers. Stipulations about the strength and effectiveness of data protection methods are a good place to start.

Best practices need to be followed, documentation maintained on the measures used, employee training conducted to provide better compliance with company protocols and audits done to ensure conformity with the insurer’s expectations.

These are not fail-safe practices, but they may go far in protecting vulnerable data and avoiding exposures. They might also be effective in shutting down potentially costly litigation from parties who aren’t able to demonstrate actual harm.