Class Action with a Twist

It was announced that Premera Blue Cross (PBC) has reached a civil lawsuit settlement totaling $74M. For those that don't remember, PBC suffered a cyberattack in 2014 that exposed 11M patients' ePHI. The class action lawsuit alleged that PBC failed to protect patient information.

Here's the twist and the reason I'm posting this note. $42M of the settlement money is going back in to PBC for information security program improvements. I'd love to hear how you feel about a civil suit that compels a corporation to provide reasonable and appropriate security controls (i.e. something they should do as part of doing business). Only a minority of the money sued for will benefit the plaintiffs directly. To me, it's the equivalent of suing your dentist to ensure your teeth are cleaned properly. While I'm happy to see PBC improve their posture, I'd rather see companies held accountable in more effective ways. No doubt someone could read this article and think, "I'll put off that security budget until I'm forced by a court".

Do you think that this agreement a step in the right direction?