In Johansson-Dohrmann v. CBR Systems, Inc. et al, No. 3:12-cv-01115 (S.D. Cal., filed May 7, 2012), the latest data privacy class action to reach settlement, Judge Michael M. Anello on February 5, 2013 granted preliminary approval of a proposed class settlement in a federal class action suit brought by a client of a blood bank operator (CBR Systems), on behalf of 292,000 other clients and based on the blood bank’s failure to adequately protect the clients’ medical and other private information. The case arises from the December 2010 vehicle theft of a CBR employee in which a laptop, external hard drive, USB Key, Dell barcodes, and LTO4 Tapes, which allegedly contained unencrypted information regarding CBR’s clients’ names, social security numbers, credit card information, and/or credit card expiration date, were stolen. As with the majority of data breach class actions in California, Plaintiff originally brought suit in state court under California’s Confidentiality of Medical Information Act (“CMIA”), the California Records Act (“CRA”), and the Business and Professions Code (“UCL”). The case was later removed to Federal court.
The settlement covers a proposed class of all CBR clients whose medical or financial information was on the stolen company equipment. If fully utilized, the settlement has a value of upwards of $115 million. It includes the following parameters:
- A two-year subscription for all class members to a Credit Monitoring Protection Package, including credit monitoring, credit reports, credit alerts and identity theft protection of up to one million dollars. The Credit Protection Package has an estimated value of $112 million dollars;
- Reimbursement to class members who have suffered any actual injury, in the form of reimbursement of out-of-pocket expenses;
- The amount of proven loss up to $50,000 for any class member who has suffered from identity theft as a result of the underlying theft. This payment is subject to a total aggregate identity theft reimbursement cap of one million dollars;
- Administrative costs;
- Attorneys’ Fees capped at $600,000;
- A $5,000 incentive award to the named plaintiff.
The hefty settlement came on the heels of a separate deal in late January 2013, in which CBR Systems agreed to settle Federal Trade Commission charges based on the same breach that CBR maintained inadequate security practices that contributed to the breach, with CBR agreeing to establish and maintain a comprehensive information security program, to submit to security audits by independent auditors every other year for 20 years, and to refrain from misrepresenting its privacy and security practices. A hearing to determine final approval of the class action settlement is currently set for July 15, 2013.
On its face, this settlement is significant in its size vis-à-vis other California data breach class action settlements such as Snow v. Lenscrafters, Case No. CGC-02-4055442008 (San Fran. Sup. Ct., filed March 2002) (settled in 2008 for approximately $20 million); Blue Cross of California Website Security Issues, Case No. JCCP 4647 (Orange Cty. Sup. Ct., filed March 2010) (settled in 2011 for approximately $763,000 though there is potential for additional payments based on future identity theft losses); and recent settlements in statutory damages class actions, which have generally topped out around $30 million. The claims-made only structure of the CBR settlement, however, indicates that the settlement may never actually reach its full $115 million projected value, the majority of which is based on the credit monitoring subscription, because (1) the actual settlement value is dependent on the number of class members who make a claim for a subscription to the credit monitoring service, which likely is to be lower than the amount of claims that would be made for a cash payout, and (2) the actual cost of credit monitoring to defendant is likely lower than the retail value. It remains to be seen how many claims will be made and what the actual cost of settlement is to CBR.