The theft of two unencrypted laptops from a company’s conference room has resulted in a $3 million settlement in Resnick/Curry v. AvMed, Inc., a data-breach class-action lawsuit entering its final stage in the Southern District of Florida.
The plaintiffs’ claims arose from a December 2009 data breach at the corporate headquarters of defendant AvMed Inc., a Florida-based health insurance provider. The plaintiffs alleged that two laptop computers containing the unencrypted private information of AvMed’s 1.2 million customers—including their names, addresses, Social Security numbers and medical information—were stolen from a conference room.
In their complaint the plaintiffs sought damages and injunctive relief from the company for failing to properly safeguard their personal health information in accordance with the Health Insurance Portability and Accountability Act.
They also claimed that as a result of the defendant’s failure to properly secure their information, they have become victims of identity theft. Bank accounts and credit cards were opened in their names, unauthorized purchases were made, and one claimant’s home address was changed with the U.S. Postal Service.
In addition to the multimillion-dollar settlement, AvMed has agreed to implement the following measures to protect its customers’ sensitive personal information:
- Instituting mandatory security awareness and training programs for all company employees. *Instituting mandatory training on appropriate laptop use and security for all employees.
- Upgrading all company laptops with extra security mechanisms, including GPS tracking technology.
- Adopting new password protocols and full disk encryption technology on all company desktops and laptops.
- Installing physical-security upgrades at company facilities and offices to further safeguard workstations from theft.
These prospective measures are the most valuable part of the settlement, said Al Saikali, a partner and co-chair of Shook Hardy & Bacon’s Data Security and Data Privacy Practice Group, based in Miami.
“They provide a road map for what companies should do to minimize the risk of similar litigation,” he said. “They also make good business sense and are likely compatible with the expectations of a company’s consumers.”
If the laptops in the case had been encrypted, the lawsuit might never have been filed, he added.
Saikali noted that this settlement is in sharp contrast to the vast majority of data-breach cases, which have been dismissed for lack of standing and damages.
Roy Maurer is an online editor/manager for SHRM.
Follow him on Twitter @SHRMRoy.
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news