The plethora of breaches of electronic personal information by healthcare providers and other custodians of sensitive information has received heightened attention from the U.S. government over the past few months, including a settlement of a HIPAA proceeding $4.8 million by Columbia University and New York Presbyterian Hospitals for disclosure of medical information of 7,800 patients onto the Internet in May ; issuance of a Cyber-Risk Security Alert by the SEC in April, stating that audits for cyber-security safeguards were imminent (such audits are now underway); and a speech by Treasury Secretary Jack Lew in July that laid the groundwork for enhanced enforcement of cyber safeguards in the financial services industry. Now, as surely as day follows night, plaintiffs’ attorneys have brought class actions for data breaches. The results are not all in their favor, but one thing is sure: a company that is brought into such a case will incur a serious dent in its legal spend budget.
A class action brought on behalf of patients whose data were lost when a computer containing medical records of four million patients, claiming $4 billion dollars in damages or $1,000 per patient, was dismissed by the Court of Appeal of the State of California, Third District, Sutter Health et al. v. The Superior Court of Sacramento County, on July 21, 2014. The court held that there was no cognizable injury because plaintiffs had not shown that anyone had accessed the medical information.
Yet, in a Florida class action concerning loss of unencrypted data on laptops of Avmed, Inc., the Eleventh Circuit reversed a dismissal on the ground of no provable damages, holding that the case could proceed because plaintiffs made out a claim by alleging “unjust enrichment,” in that the plaintiffs had paid money to the defendant in the form of monthly premiums some of which, at least in theory, were to go toward information security. The case was settled in February for $3 million. Similarly, a class action against ComScore for violating plaintiffs’ privacy by collecting data about them, without permission, through tracking software bundled into gaming and other applications, settled in June for $14.8 million. The settlement, still awaiting court approval, calls for plaintiffs’ counsel to receive legal fees of $4.6 million.
With visions of such lucrative fees looming like sugarplums in the minds of many law firms, these class actions will increase and many will evade motions to dismiss them. Whether they do or not, significant legal expense exposure awaits any company caught in this legal thicket. Proactive assessment of cyber-risk, and strong privacy and data protection policies, though, can mitigate these risks.
For more information, please contact Kenneth N. Rashbaum.