Indianapolis Business Journal (IN)
An army of class action attorneys
took on Indianapolis-based Anthem Inc. over its massive 2015 data breach.
And
by their own estimation, they did a heck of a job when they got the insurance
giant last summer to agree to a $115 million settlement.
Now they're ready to collect their
reward in the form of attorney's fees. They filed paperwork in federal court in
California last month seeking $38 million in fees and $2 million in expense
reimbursements.
"Plaintiffs' counsel have
successfully litigated a groundbreaking case," wrote attorneys for the two
firms serving as lead counsel, San Francisco-based Altshuler Berzon LLP and
Washington, D.C.-based Cohen Milstein Sellers & Toll PLLC. "The
proposed settlement is the largest ever achieved in a data breach case."
But some Anthem customers are
unimpressed by the deal-which received preliminary approval in August-and even
less so by the fee request.
"For a company that made $2.5
billion in profits the last two years in a row, a $115 million penalty is
hardly a slap on the wrist," Anthem customer Joseph Oriowske said in a
January court filing month urging Judge Lucy Koh to reject the deal.
Making matters worse, critics say, is
that the vast majority of the nearly 80 million data breach victims would
receive two years of Experian fraud protection and credit monitoring as their
sole compensation.
Anthem gave victims two years of
credit monitoring when it made the breach public. Some opponents say the
additional monitoring is of dubious value-given that data hacks have become so
common that many Americans already have similar coverage. Further, so much time
has elapsed that the need for the coverage has dropped.
Anthem disclosed in early 2015 that
78.8 million current and former customers' records had been stolen by hackers
from December 2014 through the following January-a disclosure that touched off
more than 100 lawsuits accusing the insurer of inadequate data security. The
cases, some brought by Indianapolisbased Cohen & Malad LLP, were
consolidated into the California suit.
Under the settlement, Anthem did not
admit wrongdoing or acknowledge anyone was harmed by the cyberattack. Even so,
it agreed to set aside $15 million to reimburse customers who suffered
outof-pocket costs as a result of the breach, up to certain limits, and it
earmarked $17 million to purchase Experian credit -monitoring services.
Customers who already have credit
monitoring and certify they will keep it through October of this year are
eligible for a cash payment of up to $50, from a total pot of $13 million.
A far larger sum, $23 million, is
earmarked to pay California-based Kurtzman Carson Consultants, which was hired
to administer the settlement, including mailing postcards to 50 million current
or former Anthem customers for whom addresses are known.
In an objection to the fee request,
Anthem customer Adam Schulman noted that the settlement-administrator fee and
the proposed attorney's fees gobble up well over half the settlement.
"This is outrageous on its face
and a plain violation of ... law," he said in an objection to the fee
request.
But the class action attorneys say
achieving the results they did was a Herculean accomplishment, one that
encompassed more than 78,000 hours of challenging legal work.
"In reaching this historic
result, counsel took on four well-resourced law firms and matched them every
step of the way, beating back two motions to dismiss; completing a massive
discovery effort that included nearly 200 depositions and 3.8 million pages of
documents; and fully briefing class certification in the near absence of
precedent certifying a data breach class," the attorneys wrote.
In addition, the customers benefit
from Anthem's buying the credit-monitoring service at a bulk discount.
Customers buying that coverage on their own would pay at least $240 apiece, the
attorneys said.
And on top of all that, Anthem agreed
to conduct adversarial simulations at least twice a year, which would mimic a
malicious attacker, and to triple its spending on IT security over three years
compared with pre-breach levels.
The dollar value of that commitment
is not public record, however, because Anthem argued it was a trade secret that
should be redacted.
The irony of that stance wasn't lost
on customer Kelly Kress, who objected to the settlement and fees. "Indeed,
the defendant wishes to keep information private and confidential-despite
permitting the disclosure of millions of customers' private information,"
her attorneys wrote·
No comments:
Post a Comment