There should be little question that data breach litigation will continue to present unique issues for courts. However, we are also starting to see a trend showing settlements in data breach litigation may present novel issues. For example, the documents publicly available related to the settlement of the Anthem breach shows plaintiffs, in addition to money, may be looking for a commitment from the breaching party to repair the damaged caused by a breach.
On June 23, 2017, the parties involved in the 2015 Anthem data breach brought the matter closer to a resolution when they filed documents with the District Court for the Northern District of California to settle the matter. This litigation involved seventeen class action lawsuits alleging Anthem failed to properly protect the plaintiffs’ personal information and Anthem delayed notifying impacted individuals of the breach. The Settlement Agreement and Release indicates that parties engaged in mediation sessions over the first half of 2017 before finally agreeing to settle the matter for $115 million. The Settlement Agreement contains a “Settlement Fund” provision providing exactly how the $115 million settlement payment will be allocated. First, the Anthem entities are required to deposit $25 million into a Qualified Settlement Fund ten days after the Court enters the Preliminary Approval Order to cover the costs for administrative experiences set-up costs for a “Credit Services” vendor which provides credit services monitoring for the plaintiffs, reasonable costs for providing notice of the terms of this Agreement and “Out-of-Pocket” costs as defined under the Agreement. Next, the Anthem Entities are required to deposit the balance of the settlement payment in a Qualified Settlement Fund ten days after the Court enters the Final Approval Order and Judgment. While the settlement amount is staggering, the commitment that Anthem has to make to protect and re-establish the plaintiffs’ credit after the settlement is also worth considering.
The Settlement Agreement contains detailed provisions concerning notice, credit services and “Alternative Compensation” for impacted individuals:
The Settlement Agreement provides precise requirements concerning how the plaintiffs are to be notified of the settlement. The “Notice Plan” provides details on how plaintiffs are to be located and how options are to be presented for the plaintiffs.
Credit Services Provisions
The section of the Settlement Agreement addressing Credit Services requires the Anthem Entities to arrange for Experian to provide for credit monitoring services to the plaintiffs. In addition to credit monitoring, the parties agreed that plaintiffs would be provided with:
- “ID Theft Insurance” which would provide insurance for theft related expenses up to $1 million;
- “Internet Surveillance” which including monitoring the “dark web” for plaintiffs’ personal information;
- “Identity Restoration Services” that would provide plaintiffs with “fraud resolution assistance,” and
- “Minor Plus” which provides added protection for plaintiffs that are minors
The Credit Services provision makes it clear that the plaintiffs are going to look to Anthem to make arrangements to put them back to where they were prior to the breach. This provision will not allow Anthem to simply pay its money and move on. Rather, Anthem will need to act as an administrator to make sure it meets all obligations to the plaintiffs.
The Settlement Agreement also provides for “Alternative Compensation” for those plaintiffs that already have some form or credit monitoring and do not enroll in the Credit Services offered under the Settlement Agreement. Here, Anthem will need to confirm each plaintiff that makes the necessary election qualifies for the Alternative Compensation.
The Agreement defines “Out-of-Pocket” costs as “expenditures that a [plaintiff] actually incurred that are fairly traceable to the Data Breach.” These costs may include unreimbursed fraud charges, professional fees incurred from identity theft or falsified tax returns, credit freezes or credit monitoring that was ordered after January 2015. These costs may also include reimbursement for time spent attempting to remedy issues related to the data breach at a rate of $15 per hour. The Agreement states that $15 million will be reserved from the Settlement Fund. And, once again, Anthem will need to a system in place to review these costs.
Documents Filed Under Seal
Another interesting aspect of this settlement is seen in the parties’ Joint Administrative Motion To File Under Seal Portions of Plaintiffs’ Memorandum in Support of Motion for Preliminary Approval of Action Class Settlement And Exhibits to Settlement Agreement. In particular, the parties sought to redact sensitive information found in the Memorandum including “detailed and confidential information about Anthem’s information security.” Anthem claims this information, if publicly disclosed, could cause further harm “by giving potential cyberattackers insights into Anthem’s cybersecurity practices and protocols.”
This is not the first time parties have been concerned about information that could be extracted from court documents. During the settlement negotiations related to its breach in 2015, Target Stores contended that if documents related to its data breach litigation were filed unsealed, there was a chance that hackers would have access to detailed information about Target’s IT infrastructure, Target’s information security controls, and information about Target’s information security policies and procedures. Following Target’s lead, a number of courts around the country have started to consider what information they are making available online.
As the Anthem litigation draws to a close it is clear that a cyber security incident can have a lasting impact. Even at this point when the parties have agreed to settlement terms, Anthem will be responsible over the next few years to make sure the Settlement Fund is being properly adminstered over, the Settlement Fund is being funded and the plaintiffs are being made whole. The Anthem Breach and Settlement makes it clear that entities cannot simply pay damages related to a breach and walk. Rather, Anthem and the plaintiffs are now partners in addressing any fraudulent acts that arise out of the Anthem Breach, re-establishing plaintiffs’ credit and getting plaintiffs assistance to address any credit or tax issues that arise from the breach.