[BreachExchange] Unusual Ploy in Anthem Breach Case Fails

[Audrey McNeil]

http://www.databreachtoday.com/blogs/unusual-ploy-in-anthem-breach-case-fails-p-2101

A recent federal court ruling against a bold motion by health plan Anthem
Inc., which is fighting a consolidated class-action lawsuit in the wake of
its massive data breach, spotlights some of the very complex questions that
are at the center of many data breach cases.

Because there are so many large data breaches these days, how can an
individual who potentially suffers identity theft or tax fraud ever know
for sure the root cause of those crimes? Was it the Anthem breach, or
perhaps one of the countless other breaches that have occurred in recent
years? Perhaps the ID theft was even caused by a breach that occurred on a
consumer's own computer.

That last argument was at the center of a recent request by Anthem's
attorneys "for access to computers of former customers who accuse the
insurance giant of failing to protect their personal information in an
enormous data breach last year," reports Courthouse News Service.

Just to refresh your memory, a hacker attack on Anthem exposed the data of
nearly 80 million current and former health plan members, the insurer
revealed early in 2015. About 100 lawsuits against the company have been
consolidated into one jumbo federal class-action case that's playing out in
California.

Consumer Scrutiny?

Anthem recently filed a motion seeking permission "to access plaintiffs'
computers, smartphones and tablets to image and copy them to determine
whether the data breach or embedded malware was responsible for the
potential harm that could include identity theft and tax problems," the
news report says.

But in his oral ruling rejecting Anthem's request, U.S. District Judge
Nathaniel Cousins told Anthem it was "ironic that the defense was seeking
discovery of the plaintiff's personal information when the core allegations
of the plaintiffs is the defense failed to protect them from damage to
their personal information," according to Courthouse News Service.

An attorney representing Anthem in the class action suit declined to
comment to Information Security Media Group on the ruling.

But attorney Eve Cervantez of the law firm Altshuler Berzon LLP, one of the
lawyers representing plaintiffs in the case, tells me: "This is an
important ruling for plaintiffs in this and other breach cases."

The court's decision - and Anthem's failed attempt at examining plaintiffs'
computers - highlight some of the intricacies woven through many data
breach class-action cases.

Where's the Proof?

"It is not uncommon in data breach cases for the defendant to question
whether it is the cause of any harm to the plaintiff," notes privacy
attorney Adam Greene of law firm David Wright Tremaine.

For instance, "just because a laptop was stolen or a system was hacked,
does not mean that it will result in identity theft or other compensable
harm," he says.

"Courts often will not award damages based on speculation of potential
identity theft. Rather, a court may require evidence of causation; evidence
that a particular breach caused the identity theft that caused a particular
patient harm," he says. "As we have more data breaches, it becomes more
challenging to trace a particular incident of identity theft back to a
particular breach incident."

Privacy attorney Kirk Nahra of the law firm Wiley Rein, offers a similar
perspective. "Remember, so many of these class-action cases involving
security breaches get dismissed early on because there is no allegation of
actual damages, which is an element of a complaint in most situations," he
notes.

Anthem's tactic of trying to put a spotlight on the weaknesses of
plaintiffs' own security practices "isn't common - yet - because most cases
haven't gotten to a point where this issue [of ID theft or fraud] is yet
relevant," he says.

Blame Game?

So, was Anthem trying to play the "blame the victim" game in requesting to
examine plaintiffs' computers for malware or other security problems that
could be the root of potential ID theft and tax problems?

"Here, the question is causation of harm," Nahra says. "I don't think it is
a 'blame the victim' strategy, but at the same time, it is a very broad
approach that may have an impact on lots of individuals," he says. "Given
how many security breaches there are, and the fact that many people's
information may be subject to multiple breaches, the question of 'cause and
effect' is a real one."

Whether the courts will allow this kind of strategy is an open question -
and this is one of the first cases to address it, Nahra says. "But, at the
same time, if these class actions get beyond the initial stages, we are
going to have to have some way of connecting the dots, as we would in any
other kind of case making this kind of claims.

"The connection between an action and a harm always needs to made, even in
the simplest of tort claims," Nahra notes. "This is just a high tech
version of this issue that could involve lots of people."

So, was it fair game for Anthem to raise the question of whether
plaintiffs' own weak security practices were potentially to blame for
increased risk of ID theft and other crimes? Or was the motion nothing more
than a very desperate ploy? I invite you to share your views in the space
below.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160411/ce0bc244/attachment-0001.html>