How surprising was the $115 million settlement health insurance giant Anthem has offered to resolve a security class-action lawsuit sprung from the 2015 personal data theft of some 79 million customers?
Considering that earlier, similar settlements involving Home Depot, Target, Sony, Ashley Madison and LinkedIn together have totaled $83.5 million, Anthem's reparation is eye-popping. To date, it’s the largest data breach settlement but it may yet be dwarfed by whatever amount Yahoo ends up paying for two colossal hacks in 2013 and 2014 in which data from 1.5 billion users was pilfered.
For now, with more than 100 lawsuits filed against Anthem across the U.S. claiming its culpability in the massive heist, perhaps the settlement number can be seen in a more pinpointed light: It’s ginormous because it should be.
More importantly, it’s an indication that security breaches have become so lucrative for crooks as to set the punishment for companies exposing customer data at newly astronomic heights.
Anthem’s proposed settlement of the consolidated cases must still be approved by the Judge Lucy Koh in U.S. District Court for the Northern District of California--yes, that Judge Koh who presided over the Apple/Samsung battle royale.
The settlement aims to protect class members from future risk, provide compensation, and ensure best cybersecurity practices to deter against future data breaches, Anthem said.
Judge Koh will be mulling over how Anthem intends to use the $115 million. The insurer, which reported profits of $2.46 billion for fiscal year 2016, down slightly from the prior year, said it will set up a monetary fund to:
- Provide victims of the data breach at least two years of credit monitoring.
- Cover out-of-pocket expenses incurred by consumers as a result of the data breach.
- Provide cash compensation for those consumers who are already enrolled in credit monitoring.
In addition, Anthem will have to allocate an undisclosed amount of money for information security, specifically to overhaul its data security systems and policies, encrypt certain information and archive sensitive data with strict access controls.
The two most notable data breach settlements to date are (via Classaction.com):
Home Depot: $44.5 million--$19.5 million to settle a 2014 hack in which 50 million credit cards and personal information were stolen from customers, and a $25 million deal with banks and credit card companies for damages. Home Depot’s total losses for the data breach have reportedly reached $179 million.
Target: $28.5 million in 2015 to settle a federal class-action lawsuit, including $10 million to customers victimized by the heist of 42 million credit cards and personal data of 61 million customers. A second settlement of $18.5 million in May resolves an investigation by state attorney generals. Target has reportedly spent some $200 million in settlements and legal fees as a result of the data breach.
Other noteworthy settlements of lesser amounts include Sony’s $8 million in 2015, Ashley Madison’s $1.6 million last December, LinkedIn’s $1.25 million in 2015 and Stanford Hospitals & Clinics’ $4.1 million in 2014.
A recent study conducted by Ponemon and underwritten by IBM Security found that the average cost per data breach to businesses globally dropped 10 percent to $3.6 million. In the U.S., the average cost of a data breach was $7.35 million. Ponemon’s data also showed that companies are incurring larger breaches, averaging more than 24,000 records.