If cybersecurity is not currently at the top of your company’s to-do list, then it should be. Anthem Inc., the nation’s second largest health insurer, agreed to a $115M settlement package to end litigation surrounding a 2015 data breach that affected nearly 80 million people. According to the deal, Anthem will (1) provide two years of credit monitoring, in addition to the two years that were previously offered after the breach in 2015, (2) cover out-of-pocket expenses, (3) compensate customers that already purchased credit monitoring products, and (4) make improvements to its data security systems. And the lawyers representing the class will cash in on $38M in attorneys’ fees. The lawyers always seem to get paid.
This was an interesting case because Anthem admitted that it did not encrypt the data that was stolen from company servers, including names, birth dates, Social Security numbers, addresses, and other personal data. While Anthem argued that it was not required by law to encrypt this personal data, the plaintiffs argued that it should have been encrypted. Anthem responded that encryption would have posed internal challenges and may not have prevented the attack, but this did little to slow down the lawyers representing the victims that had their data stolen.
Anthem’s decision to store unencrypted personal data on its servers clearly contributed to this huge settlement, suggesting that encryption at rest should be an essential consideration in any company’s security policy. A company that holds personal information for millions of customers cannot simply argue that it met the requirements of HIPAA or another regulatory framework, it must go above and beyond the legal requirements to protect customer data. Cyber criminals or hackers continue to evolve and class action lawyers are going to force companies to do the same.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high quality legal representation in intellectual property, cybersecurity, and technology matters and disputes.