Judge Koh, who has been involved in many high profile high tech lawsuits such as Apple v. Samsung, gave final approval to a $115 million settlement for damages as a result of the Anthem breach. While this is only one lawsuit – I am sure there are others – it is important if only for the size of the settlement. Target, you may remember paid $17 million to consumers, so this is almost 7 times the size for a relatively similar number of consumers.
The settlement also requires Anthem to provide a total of 4 years of free credit monitoring and to beef up its information security practices.
According the the lawyers who are suing Anthem, this is the largest data breach settlement ever.
The source of the breach was a phishing email that an employee opened.
The California Department of Insurance performed a protological exam on Anthem’s practices and made “recommendations” for improvements, which Anthem implemented.
So what does this mean for businesses?
I think it is fair to say that millions of people did not suffer major losses as a result of this breach. What it does say that the courts are becoming dramatically less tolerant of business practices that allow these breaches to occur – to the tune, for this one lawsuit, of $115 million.
I suspect there are still lawsuits by shareholders (this one was by consumers) because there is no reasonable way to consolidate consumers and shareholders into one single “class” for a class action.
And since Anthem is a HIPAA Covered Entity, we still have to see what the Department of Health and Human Services does.
I don’t know how much insurance Anthem had – the specifics seem to be murky other than they had a $10 million primary cyber policy with extra layers that may have brought their coverage up to $150 to $200 million. How big the deductible in all that would be is also unknown. It is likely that they have exhausted all of them available coverage.
For businesses, this means that the risk from a breach continues to go up. This also means that it is even more important to do everything practical to avoid a breach. More cyber risk insurance coverage is probably a good idea. Many companies have $1, $2 or $3 million in coverage. While this is adequate for a small breach, in the case of a large breach, the insurance company will write check and excuse itself. In many cases, the cost of defense is deducted from the money available for a payout, so if there is, say, a $1 million policy and it costs the insurance company $400,000 to defend you, there is only $600,000 to pay for claims.
All this is happening at the same time that states are upping the game in their individual state privacy and security laws.
This means that businesses need to reassess the risk from not having a “best practices” cyber security program in place. Anthem has likely spent $300 million in dealing with this mess – money that insurance companies, stockholders and customers will wind up paying. Since the state insurance departments approve rates in most states, how much those regulators will allow Anthem to charge consumers for this settlement is unknown, but they will probably not write Anthem a blank rate check.
I also heard that Anthem found it impossible to renew their insurance at anywhere near similar coverage for an affordable premium and coverage.
Source: Health IT Security.