A $115 million Anthem data breach settlement has been agreed in the consolidated data breach case filed on behalf of the 78.8 million victims of the firm’s 2015 data breach.
If the Anthem data breach settlement is approved by the judge presiding over the case it will be a record-breaker – The largest data breach settlement ever reached. That said, the amount each victim will receive will be low. Lawyers will take one third of the settlement, leaving little for the data breach victims. The Anthem data breach settlement may be a record-breaker, but take out the lawyers’ fees and it only amounts to around one dollar per breach victim, although not all victims are members of the class-action.
Once lawyers’ fees have been taken out of the Anthem data breach settlement, the remainder will cover an additional two years of credit monitoring services for the plaintiffs at a cost of $17 million. Data breach victims have already been provided with complimentary credit monitoring services for two years, with this settlement increasing that to four years.
Individuals who have already enrolled in credit monitoring services are likely to be given the option of a cash payment instead of an extension, with the amount expected to be $36 per victim, possibly up to $50 if funds are available.
Anthem has also taken $15 million out of the settlement which will be set aside to cover out-of-pocket expenses incurred by the plaintiffs, with payments made on a case-by-case basis for as long as there are funds available.
Anthem has also agreed to guarantee funding for improvements to information security. The measures to be introduced include encryption, better access controls and changes to how the firm archives sensitive data. It is not clear exactly how much will be spent on these additional controls, with Anthem saying the guarantee will be for “a certain level of funding.”
The settlement has been agreed without any admission of liability. Anthem also maintains that there was no evidence uncovered to suggest any of the data stolen in the attack has been misused.
Should any funds remain, they will be split between the Electronic Frontier Foundation and the Center for Education and Research in Information Assurance Security at Purdue University.