OAKLAND – Now that a new identity protection vendor is secured, a federal judge has finalized a $350,000 settlement in a class action data breach complaint.
Angele Giroux sued her employer, Essex Property Trust, saying it failed to implement reasonable security measures that might have prevented a 2016 data breach in which cyber criminals accessed names, Social Security numbers and 2015 payroll data for her and 2,500 current and former employees.
According to an order Judge Haywood Gilliam Jr. of the U.S. District Court for the Northern District of California issued May 14, the parties engaged in “extensive formal discovery” leading to private mediation and a settlement agreement. They jointly sought preliminary improvement for that deal on April 19, 2018, leading to a plan for notifying class members.
After a Sept. 20, 2018, fairness hearing, the court approved the settlement March 14. The terms of the settlement call for Essex to provide approximately $70 per affected worker as well as credit monitoring and three years of identity theft protection. Gilliam said a $5,000 incentive award goes to Giroux and while the class counsel will collect legal fees of $140,000 and recover costs and expenses of $9,500. Giroux is represented by Donald W. Heyrich and Mamta Ahluwalia of HKM Employment Attorneys LLP and Kyann C. Kalin of Stutheit Kalin LLC.
Essex had already bought two years of credit monitoring and identity protection coverage through AllClear in March 2016 and agreed to another three years as part of the settlement. However, 11 days after Gilliam’s approval, AllClear said due to its acquisition by Experian, it could no longer provide those services agreed to in the settlement. Eventually Giroux and Essex arranged for Equifax to provide the services for three years.
The class includes anyone whose 2015 W-2 forms linked to their Essex employment were accessed as a result of the phishing attack. Gilliam appointed Simpluris as third-party settlement administrator, charged with notifying current and former Essex employees by email and regular post.
“Simpluris verified the addresses with the National Change of Address Database,” Gilliam wrote, and “performed an advanced address search for any returned notice packets. Updated addresses could not be found for 42 class members, even after further tracing efforts.”
Only 12 class members opted out of the agreement and none lodged an objection to the terms.
“The amount offered in settlement is reasonable in light of the strength of the underlying case,” Gilliam wrote. "Plaintiff concedes that she would face both factual and legal hurdles were she to continue litigating, including establishing Article III standing for individuals whose data has been compromised, and overcoming the argument that the economic loss rule bars any negligence claims.”
Gilliam said Essex showed “apparent willingness to defend against this action,” meaning Giroux wasn’t guaranteed a favorable outcome through litigation. He further noted Giroux could only reach the settlement after conducting extensive discovery and reviewing “documents that detailed the extent and effects of the data breach.”
Calling the deal “fair, adequate and reasonable,” and also finding Equifax to be a suitable stand in as identity protection vendor, Gilliam granted the parties’ motion to amend the final approval order, directed the filing of the stipulated final judgment and closed the case.