The announcement of a $115 million settlement by Anthem Inc. over the health insurer’s massive January 2015 data breach suggests that class-action litigation over breaches will likely continue despite failures and relatively low settlements in other cases.
The $115 million agreement, if approved by the court, would be a record settlement and involves no admission of wrongdoing by Anthem, which commented in a statement, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”
“The $115 million Anthem settlement price tag is no doubt likely to incentivize class action plaintiffs’ attorneys to pursue increasingly high settlement amounts in the context of data breaches,” Roberta Anderson, director of Cohen & Grigsby’s cyber practice, told Advisen in an email.
This may become more of a trend, according to Todd Rowe, partner with Tressler LLP, who wrote on his blog Privacy Risk Report, “There should be little question that data breach litigation will continue to present unique issues for courts. However, we are also starting to see a trend showing settlements in data breach litigation may present novel issues. For example, the documents publicly available related to the settlement of the Anthem breach shows plaintiffs, in addition to money, may be looking for a commitment from the breaching party to repair the damaged caused by a breach.”
In ending the multi-state action, Anthem also communicated a commitment to strong cybersecurity practices, noting, “As we have seen in cyberattacks against governments and private sector companies including Anthem over the past few years, many cyber threat actors are increasingly sophisticated and determined adversaries. Anthem is determined to do its part to prevent future attacks. To that end, as part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyberattack, and we have agreed to implement additional protections over the next three years.”
While other breach cases have outright failed in proving standing (as in the case of Barnes & Noble’s data breach) and others have settled for relatively low sums, such as Target’s recent $18.5 million settlement over its 2013 breach with state attorneys general and a $10 million settlement with consumers, experts advise awareness of the full impact of settlements on the organizations involved.