Posts

RETURN TO SENDER: Aetna to Pay $17M to Settle Claims Related to Vendor Mailer Data Breach

Aetna has agreed to pay $17.2 million and to implement a “best practices” policy regarding sensitive policyholder data, in order to settle class action litigation brought against it arising from a mass mailing sent by one of its mailing vendors. As discussed in a blog post last year, federal class action litigation was brought against Aetna and its mailing vendor in 2017 based on the vendor’s use of glassine envelopes to communicate HIV medication information to Aetna insureds. The envelopes revealed that the named addressee was contacted about options for filling HIV medication prescriptions. The litigation alleged violations by Aetna and its vendor of several laws and legal duties related to security and privacy.

The contract lessons for customers and vendors that arise from the events in question, which were identified in the earlier post, remain the same. Do your contracts for non-IT and non-healthcare services fully consider the risk of privacy and security litigation? Do your contract’s indemnification and limitation of liability clauses contemplate the possibility of class action litigation? Before entering into a contract, have you considered whether the specific vendor services being provided to the particular customer in question implicate laws you hadn’t considered? And, Have you considered which specific aspects of vendor services may directly impact potential legal liability, and have you adequately identified and addressed them in the contract?

Importantly, the newly announced settlement, itself, provides three bonus lessons.

Published data breach cost statistics are helpful, to a point. 

In its 2017 Cost of Data Breach Study, Ponemon Institute reports that the average per capita cost of data breach in the U.S. for the period of the study was $225. It also reports that, for the same period, the average total organizational cost in the U.S. for a data breach was $7.35 million. Somewhat remarkable, as part of its settlement Aetna agreed to pay $17.2 million in connection with the breach in question – a figure that is about $10 million over the average reported by Ponemon Institute. But, Aetna’s payment is not out of the ballpark, as averages are averages, after all. Much more remarkable, however, is the per capita settlement amount. Aetna’s settlement figure represents a per capita amount of $1,272 – that number is more than five times the reported average. (For reference, that per capita cost would put Equifax’s settlement number for its recent breach at $185 billion dollars.) Bottom line, when considering or counseling clients as to the financial impacts of data breaches, the average cost figures for data breaches are as important as the qualification of the figures, themselves, as only averages (with any number of data security breaches costing more, or less, than the averages).

Data breach cost statistics often do not compare well with litigation settlement amounts. 

Yes, Aetna agreed to pay $17.2 million as part of the settlement, as compared to Ponemon Institute’s reported $7.35 million average U.S. data breach cost. While the $7.35 million figure includes forensics costs, customer churn, post data breach costs, and other direct and indirect expenses, the $17.2 million figure is not as comprehensive. It does not include, for example, Aetna’s legal fees incurred to defend and settle the class action litigation, nor does it include other pre-settlement costs and expenses incurred by Aetna. As efficient or helpful as it may be to compare published per capita or per breach data statistics with litigation settlement amounts, it’s also important to identify the full scope of costs and expenses that the published statistics include, as well as what costs and expenses are not included in the settlement amounts.

Data breach cost statistics and litigation settlement amounts don’t include non-monetary settlement obligations. 

Cost-per-record, cost-per-breach, and litigation settlement figures can be particularly meaningful and relatable, especially when considering or counseling clients as to the potential financial impacts of data security breaches. Notably, however, the material obligations of defendants settling data breach litigation matters typically are not limited to monetary payments. Aetna, for example, as part of its settlement, also agreed to develop and implement a “best practices” policy for use of certain personally identifiable information, to provide policy updates for five years, to provide policy training for certain Aetna personnel for five years, and to require outside litigation counsel to sign business associate agreements, among other commitments. These activities will require Aetna to incur additional costs and expenses, including costs and expenses for internal and, possibly, external resources in connection with the performance of these activities.

Supplementing the earlier post on this Aetna class action litigation and lessons learned, the recent Aetna settlement and the new lessons cited above provide an even fuller picture of data and security breach and related contract considerations. Not only is it invaluable to consider data privacy and security issues in contracts and the roles of vendors and service providers, it also is important to consider and counsel clients as to the full potential impacts of data breaches, including potential litigation settlement amounts, costs and expenses in addition to settlement amounts, and non-monetary settlement-related obligations.

What Does Ransomware Cost Companies?

In its 10-Q filing for the quarter ended September 30, 2017, Merck & Co., Inc. stated the following:

On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. … [T]he Company was unable to fulfill orders for certain other products in certain markets, which had an unfavorable effect on sales for the third quarter and first nine months of 2017 of approximately $135 million. … In addition, the Company recorded manufacturing-related expenses, … as well as expenses related to remediation efforts … , which aggregated $175 million for the third quarter and first nine months of 2017.

Read more

Lost Profits: Direct or Indirect Damages?

In 2014, the New York Court of Appeals, in Biotronik A.G. v. Conor Medsystems Ireland, Ltd., held that the lost profits claimed by a party were “general damages”, and were recoverable. They were recoverable despite the limitation of liability provision in the contract, which stated that neither party would be liable for “any indirect, special, consequential, incidental or punitive damage with respect to any claim arising out of [the] agreement” for any reason, including a party’s performance or breach of the agreement.

Why is a case that was decided in 2014 worthy of writing about now? It’s been over three years since the Court’s decision, and we still commonly see limitation of liability language in commercial contracts that does not clearly address the issue of lost profits, and whether they are direct or indirect damages. That may be a strategic decision of the drafter, or it may be an oversight. While New York law does not govern all commercial contracts, other courts may rely on Biotronik in the future, or reach a similar holding independently. Regardless, it’s generally better to have a contract that clearly expresses the intent of the parties, rather than have a court determine it.

Direct Damages vs. Indirect Damages

Consider whether lost profits are reasonably foreseeable and quantifiable. Will breach of the contract almost surely cause a party to lose profits? Is there a reasonably certain way to prove the amount of lost profits? If so, lost profits may be considered direct damages. For example, if the parties have a non-compete agreement, the main purpose of that agreement is to ensure one party does not compete with the other party for business, thereby diverting customers, which results in lost profits. Lost profits can be reasonably quantified by sales to each diverted customer by the competing party. This is a situation where lost profits would likely be considered direct damages.

Defining Lost Profits

Consider whether the parties want lost profits to be recoverable. A provision can be included in the contract expressly stating that lost profits are direct damages, or that lost profits are indirect damages. Limitation of liability language can be included that states lost profits are not recoverable, regardless of how they are categorized. Alternatively, the limitation of liability language can expressly exclude lost profits from the limitation, making them recoverable.

Ultimately, whether lost profits should be recoverable, and how they are addressed in a contract will depend on the individual relationship or transaction in question. Given the potential for dispute, drafting clear language is key.