Jaikumar Vijayan

After an unprecedented online assault took down cybersecurity journalist Brian Krebs's influential cybersecurity blog, he was able to return to the web because of a new service that protects journalists and activists from online censorship.

Courts have generally tended to dismiss consumer class-action lawsuits filed against companies that suffer data breaches if victims can't show that the breach directly caused a financial hit.

A federal court in Florida broke the mold by approving a $3 million settlement for victims of a data breach in which personal health information was exposed when multiple laptops containing the unencrypted data were stolen. The Dec 2009 theft of laptops belonging to AvMed, a Florida-based health insurer, exposed the patient records of tens of thousands of its customers. Several victims later filed a putative class action lawsuit against AvMed.

The plaintiffs suffered no direct losses or identity theft from the breach but nevertheless accused AvMed of negligence, breach of contract, breach of fiduciary duty and unjust enrichment. The US District Court for the Southern District of Florida, which heard the case, dismissed the claims against AvMed two separate times.

However, upon appeal by the plaintiffs, the US Court of Appeals for the Eleventh Circuit allowed several of the claims, including those pertaining to negligence and breach of contract, to remain, and remanded the case back to the district court. When AvMed again filed a motion to dismiss the class action claims yet again, the district court refused to do so, prompting the health insurer and the plaintiffs to enter into settlement talks.

The settlement is believed to be the first in which victims of a data breach are compensated without having to show they suffered any losses from the theft of their personal data.