A recent string of multi-million dollar settlements involving data security breaches demonstrates the need for all companies maintaining sensitive personal information about their customers to review the adequacy of their data security policies and procedures. Two recent multi-million dollar settlements involving the release of personal information related to millions of customers of AvMed, Inc. (“AvMed”), and Schnucks Markets highlight the potential legal and financial risks that companies face and the need for companies who handle personal information to review security policies and procedures.
On October 24, 2013, the U.S. District Court for the Southern District of Florida (“District Court”) approved a preliminary proposed settlement of $3 million for a data security breach lawsuit against AvMed, a Florida-based healthcare provider. The lawsuit involved the theft of two unencrypted laptops from a conference room in AvMed’s corporate office. Although unencrypted, the stolen laptops contained personal information for roughly 1.2 million of AvMed’s customers.
AvMed customers filed a class action lawsuit claiming that AvMed failed to adequately secure the personal information of its customers. Initially, the District Court dismissed the lawsuit in July 2011, but the 11th Circuit reversed the decision – finding that the plaintiffs had in fact suffered cognizable injuries. The 11th Circuit, in its first impression of the matter, reasoned that the plaintiff’s suffered an injury-in-fact because they were victims of identify theft and have suffered monetary damages as a result of AvMed’s failure to ensure adequate protection of its electronic databases from security breaches.
Although AvMed agreed to pay the plaintiffs $3 million in damages, the settlement stipulated several prospective conditions that AvMed must follow in the future. Through the settlement, AvMed agreed to: (1) mandatory security awareness and training programs for all employees; (2) upgrading all company laptops and desktop computers with additional security mechanisms, including GPS tracking; (3) strict password protocols, and full disk encryption technology on all company laptops and desktop computers; (4) physical security upgrades at all company facilities; and (5) review and revise all written information security policies and procedures maintained by the company.
Another multi-million dollar lawsuit was recently settled involving the grocery chain, Schnucks Markets. Between December 2012 and March 2013, Schnucks Markets was subjected to a breach in which a computer code was unknowingly inserted into the company’s payment system, allowing the hackers to gain access to credit card information of roughly 2.4 million customers.
The class action lawsuit, filed in the St. Louis Circuit Court, alleges that Schnucks Markets: (1) failed to adopt best practices in securing their customers’ personal financial information; and (2) failed to notify customers promptly and clearly that their information had been stolen, even though Schnucks Markets had issued a national press release within two weeks of learning of the breach.
The AvMed and Schnucks Markets settlements for corporations that maintain electronic records of personal information underscore the importance of regular risk assessments, review of privacy and data security policies and procedures, and strong training and oversight to ensure compliance with these policies and procedures.
Our firm will be continuing to monitor these settlements, and other developments in privacy law. For more information about the firm’s privacy practice, please visit our website or contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at firstname.lastname@example.org.