What stands out most about a proposed $74 million settlement of a class action lawsuit against Premera Blue Cross in the wake of a 2014 data breach that affected 11 million individuals? Technology attorney Steven Teppler points to the attention given to "fixing" the health insurer's security problems.
The proposed agreement, which was filed on May 31 in a federal court in Oregon, would settle a class action lawsuit that consolidated more than 40 lawsuits filed after the data breach was revealed in March 2015 by the Seattle-based insurer. It awaits court approval.
The settlement proposes $32 million for breach victims and related legal costs and would require the health insurer to invest $42 million in bolstering data security.
The settlement "not only takes care of victims, but takes care of business internally at the organization to make sure there are resources devoted to fixing or mitigating the security problem, but also that there are ways to establish milestones to make sure what is promised is actually done," Teppler says in an interview with Information Security Media Group.
Enhancing Security
Under the settlement, Premera would spend at least $14 million annually over the next three years on enhanced data security measures. Those include taking action to encrypt sensitive data, such as member names and Social Security numbers, implement and maintain two-factor authentication for remote access and conducting an annual IT security audit.
These types of prescriptive measures are becoming more common in the settlements of breach-related civil lawsuits, notes Teppler, who was not involved in the Premera case.
"You're seeing multiple data breaches, serial data breaches, data breaches that serve as the poster children for breaches that happen subsequently," he says. As a result, he says, more breach settlements include "consent decrees that require step-by-step monitoring, auditing and corrective actions by the defendant."
In this interview (see audio link below photo), Teppler also:
Analyzes other terms in the proposed settlement in the Premera case; Reviews lessons from cyberattacks involving nation-states; Discusses other emerging data breach lawsuit trends.Teppler leads the electronic discovery and technology-based litigation practice at the law firm Mandelbaum Salsburg P.C. He's the co-chair of the American Bar Association's IoT Committee; a member of the Seventh Circuit Court of Appeals Electronic Discovery Pilot Program; a founder and co-chair of the American Bar Association's IoT National Institute as well as the American Bar Association's National Institute on Electronic Discovery and Information Governance; and a contributing author of the ANSI X9F4 trusted timestamp guideline standards for the financial industry.