PHILADELPHIA - The U.S. District Court for the Eastern District of Pennsylvania has given preliminary approval in a class action lawsuit involving a company-wide data breach.
In the ruling on Jan. 23, U.S. District Judge Gene E.K. Pratter said the preliminary approval of the proposed class settlement is granted because the notice plan is reasonably designed to notify class members of the settlement agreement and several factors prove that it’s a reasonable agreement.
The issue of attorneys fees will be sorted out in a July final approval hearing. The Philadelphia firm Levin Sedran & Berman represented the plaintiffs, as did the Florida firm Morgan & Morgan.
The parties reached a settlement agreement after Accolade Inc. allegedly released the plaintiffs’ personal identifying information in a company-wide data breach.
“In January 2017, Accolade Inc. was the target of a phishing scheme,” the opinion said. “A cybercriminal requested the W-2s for current and former U.S.-based Accolade employees from an Accolade employee who then sent the unencrypted files via email.”
The W-2s included personally identifying information such as employees’ names, addresses, Social Security numbers, salaries and taxes withheld for 2016, according to the lawsuit.
Tashica Fulton-Green and Daniel Crevak, who were affected by the breach, filed suit against Accolade on behalf of themselves and all others similarly situated, alleging negligence, negligence per se, breach of implied contract and breach of fiduciary duty.
The court said class members who had a false tax return filed, had an IRS tax transcript requested using their data or experienced incidents of other identity theft or financial fraud are eligible for a payment of $75.
The settlement was reached as a result of arm’s-length negotiations with an experienced mediator.
“The mediator, who will also serve as claims referee, has experience in that capacity as well,” the opinion said. “Based on the information provided and critically considered by the court, proposed class counsel are experienced in litigating and resolving data breach class actions such as this.”
Pratter said the settlement agreement protects class members whose information was released in the data breach, reimbursing them for the time and expense spent dealing with the effects of the data breach and putting systems in place at Accolade to prevent a similar breach in the future.
Citing Federal Rule of Civil Procedure 23(a), the court said one of the factors to consider in certifying a class is whether “the class is so numerous that joinder of all members is impracticable.” According to the opinion, the proposed class in this case meets the numerosity requirement because it includes 973 people.
The second factor to consider in certifying a class, according to the court, is whether “there are questions of law or fact common to the class.” In this case, the court said the proposed class members all suffered from the same data breach, so there are common questions as to how the data breach occurred, whether Accolade had a duty to protect data, and whether the employees were harmed by the breach.
According to the opinion, their claims are not only similar to those of other class members but are virtually identical.
“Ms. Fulton-Green and Mr. Crevak each seek to hold Accolade liable for damages related to the breach and share common questions of law and fact with all other class members,” the opinion said.
The court also focused on adequacy – whether “the representative parties will fairly and adequately protect the interests of the class.”
“There are no discernable conflicts between named class representatives and other potential class members,” the opinion said. “Class counsel are well-experienced and qualified.”