In December of 2009, two laptops containing sensitive information were stolen from the health insurance provider AvMed’s corporate headquarters, leading to a breach of 1.2 million customer records. Though this breach happened some years ago, AvMed suffered significant financial, reputational, and organizational hardship for years afterwards. What’s more, the subsequent class-action suit has set a new legal precedent for monetary reimbursements for breach victims.
In a Forrester Analyst Report, Legal Costs In A Customer Data Breach Now Pack A Bigger Punch, Forrester analysts examine how the legal outcome of the AvMed class-action suit concerns all US organizations who store or process personally identifiable information (PII). The report notes how there are immediate costs following a data breach that many will account for, such as breach notification, forensics services, call centre staffing, identity theft protection and regulatory finds. But some costs are harder to quantify; brand damage, loss of productivity and drawn-out legal battles promise to increase the costs for years to come. Being sued is now the reality following a data breach; though most legal costs can be settled within 2 years, others drag out for many years.
With AvMed’s data breach, the class-action suit was dismissed twice in the district court before being re-instated by the 11th Circuit, with a settlement reached two years later. The unprecedented settlement reached in 2014 gives the entire class the right to recover something from the $3 million settlement, even if their data was not actually stolen or used by criminals. This is the first settlement that awards money to plaintiffs who suffered no ascertainable damage. The claim, in the AvMed case, was that AvMed raised insurance premiums to cover breach costs, this being the “injury.” However, the net result is a new legal precedent on breach suits that could be applied to other organizations.
Consumers, more aware now of the impact of a data breach, are fighting back with law suits when organizations fail to apply adequate data protection measures. As the report notes, workforce mobility trends continue to push the boundaries of how and where sensitive corporate data is used and stored, increasing the challenges to adequately protect data, particularly on the endpoint. In order to get ahead of these risks, the Forrester report talks about the importance of applying security controls based on data sensitivity, encrypting at-rest data on employee endpoints (and having a way to prove encryption is working), enforcing data protection policies at the application layer, and building security behaviour into corporate culture.
At Absolute, we work closely with different analysts from around the world as one of many important inputs in the validation of our technology and product strategy. This report, for example, validates the unparalleled visibility Absolute DDS provides into all of your endpoints and the data they contain. With Absolute DDS, AvMed would have received an alert if laptops were possibly stolen (based on our geofences or other pre-set risk conditions), allowing them to take action to remotely freeze these devices or delete data. With our audit log, AvMed could have proven the laptops were properly secured (either that encryption was working properly, or data was not accessed and safely deleted), possibly avoiding the need for data breach notification in the first place.
Learn more about how Absolute DDS can save your organization years of data breach costs here.