[BreachExchange] An Assessment of the Anthem Data Breach Litigation Rulings

[Audrey McNeil]

http://blog.ericgoldman.org/archives/2016/08/an-
assessment-of-the-anthem-data-breach-litigation-rulings-guest-blog-post.htm

Following her ruling denying in part the motions to dismiss in the Adobe
breach case, Judge Koh has again gone against the tide and filed two more
plaintiff-friendly opinions on the viability of class action data breach
claims.  Defense counsel seeking practice pointers would note the failure
effectively to exclude third party beneficiaries as enforcers of a data
management agreement, and the use of integration clauses that inadvertently
opened the door to making privacy notices enforceable parts of a contract.

The Blue Cross/Blue Shield data breach at issue in this case began in
December 2014 and lasted through the end of January 2015; notices were sent
out in February 2015.  The original consolidated amended complaint had 13
separate counts, each with multiple claims under the laws of various
states. The first round of motions to dismiss was limited to ten claims,
five selected by plaintiffs and five by defendants.  The surviving claims
from Anthem I were: California UCL, New York G.B.L. 349, and federal
third-party contract beneficiary claims.  Dismissed with leave to amend in
Anthem I were California breach of contract, New Jersey breach of contract,
New York unjust enrichment and Georgia Information and Privacy Protection
Act claims.  Dismissed with prejudice in Anthem I were the Indiana
negligence, Kentucky Consumer Protection Act and Kentucky Data Breach Act
claims. Anthem I also dismissed claims as to certain defendants on the
grounds that there were no factual allegations going to the involvement of
those defendants. That outcome was partially overturned in Anthem II.

Highlights (or Lowlights?) of Anthem II:

- PII has intrinsic monetary value as reflected by prices on the illegal
market;
- Insurance premiums could be basis for damages despite no express
allocation to data security;
- Annual privacy notices from health insurers were inadvertently
incorporated by reference;
- HIPAA business associate agreement conferred third party beneficiary
rights on insured persons; and
- Named plaintiffs from State A with claims against provider in State A
could also stand for plaintiffs in State A enrolled across state lines by
local affiliates in States B, C and D.

Incorporation By Reference

Anthem I dismissed contract claims (with leave) because they failed to
plead facts necessary to show that the privacy notices were incorporated
into the contracts.  The Anthem plaintiffs took the hint.  The California
breach of contract claim was among the ten selected for treatment on motion
to dismiss, and the defense maintained that the annual notices and other
privacy policies were not part of the contract of insurance.  But the
summary of benefits received by the California public employees
specifically referred to the annual mailings in terms such as “you have the
right to receive a copy of the Notice of Privacy Practices” and such
specificity pointed to incorporation. The statement that the insurer itself
would handle information “subject to all applicable confidentiality
requirements” with a cross-reference to the Notice of Privacy Practices as
encompassing its policies with respect to information privacy and security
suggested incorporation by reference.  Anthem argued that an integration
clause in the contract precluded incorporation of the privacy policies and
statements, but the clause failed because it incorporated other documents
that contained specific references to the Notice and other privacy
policies. The defense also argued that the privacy policies, especially the
annual notice, were not enforceable because they merely articulated legal
obligations imposed on the insurers by applicable law. The court rejected
this based on the wording of the policies themselves, as they did not
expressly limit the insurer’s obligation to the requirements of applicable
law, but included comfort language promising to go further.

Third Party Beneficiaries

In more bad news for the defendants, the court held as a matter of first
impression that California public employees, for whom BCBS of California
acted as plan administrator, could claim as third party beneficiaries of
the HIPAA business associate agreement between BCBS of California and the
California Public Employees Retirement System. The defense argued that the
business associate agreement, like the annual Notice of Privacy Practices,
was no more than a pro forma statement of legal obligations.  The court
noted that a business associate agreement may cover more than HIPAA
requires.  Because the business associate agreement was attached to the ASO
agreement for California public employees, the ASO agreement could
incorporate the various privacy policies and the class could go forward as
third-party beneficiaries of the business associate agreement.  A
third-party beneficiary must “take the contract as he finds it” but the
public employees met this requirement, because Anthem admitted that CalPERS
itself could recover damages if BCBS had breached the business associate
agreement.  Some other named plaintiffs, whose ASO agreements expressly
disclaimed any third-party beneficiaries, had their California breach
claims dismissed.

Damages

Although contract damages must be quantifiable, failure to earmark part of
an insurance premium for data security did not mean overpayment could not
be quantified.  The Anthem II court addressed two kinds of arguments that
damages based on overpayment of insurance premiums would be barred by
preemptive regulatory schemes.  Such damages were barred in New Jersey by
the filed rate doctrine, which prohibits courts from entertaining
challenges to regulated rates.  But they were not barred by ERISA, which
preempts only state claims involving “benefits” (such as payments to health
care providers) as distinct from premiums.  Federal employees who purchased
health insurance through the Office of Personnel Management (OPM) were
among the plaintiffs.  Anthem I said they could bring suit as third-party
beneficiaries of their insurance contracts, and Anthem II that the kinds of
damages they sought could be recovered either as contract damages or in
restitution.

Most courts that have considered the claim that personal information has
some intrinsic, non-statutory monetary value to the individual have
rejected it, unmoved by revelations about high prices on the invisible
illegal market, and usually noting that the plaintiffs have not alleged
that they ever could have sold, or intended to sell, their personal
information into such a market.  The Anthem IIcourt broke from this
tradition and held that, because such extensive PII as was stolen in the
Anthem breach is demonstrably traded for value on the illegal market,
exposing the information to that market causes  economic injury; it is a
jump from there to say that the plaintiff has been deprived of the value —
the direct costs fall on the defrauded merchants or banks — but the Anthem
II court made the leap.  It was sufficient that there was an illegal market
for the plaintiff’s information; it was not also required that the
plaintiff intended to or could have sold her information into that market.

The Anthem II court gave two reasons for rejecting a challenge to
prophylactic and remedial expenditures, which it calls “consequential”
damages.  First, it strongly condemned the argument that for many
plaintiffs, other data breaches might have been the cause or partial cause;
allowing such arguments would create a perverse incentive for businesses to
relax their data security measures.  Second, it noted that the complaint
need only plead causation, not prove it, and that if the defendants
asserted an alternate cause, the burden of proof would shift to them on
that issue.

Disclosure vs. Negligent Retention

Statutes that prohibit intentional disclosure of information (as opposed to
negligent retention) do not fit well in data security breach cases.  The
Anthem II court construed, as a matter of first impression, the Georgia
Insurance Information and Privacy Protection Act, Georgia Code Ann. §
33-39-14.  Because a statutory prohibition against disclosure is not
violated through merely negligent retention, the court dismissed with
prejudice.

California UCL

The claims for unfair and unlawful business practices survived while the
claim for fraudulent business practices was dismissed with leave to amend.
The UCL has emerged as a preferred vehicle for data breach claims because
it creates a private right of action premised on violations of statutes
that do not themselves provide such private rights.

UCL Standing

The grounds for standing under the UCL are narrower than Article III
because a heightened risk of future harm, regardless of how certainly
impending, is not an injury in fact for UCL standing.  But the UCL does not
require a showing of causation for standing.  Here the viability of the
damages theory conferred UCL standing. And, although a contract claim
requires privity or third-party beneficiary status, the UCL presumptively
allows claims by third parties who were induced by the defendant to pay
money to someone else. For these reasons, the there was no legally
significant distinction between the ASO plaintiffs and the direct
purchasers of health insurance for purposes of standing on the California
UCL claim.

UCL Unlawful

The defense chose not to challenge the FTC Act, Graham-Leach-Bliley or
HIPAA as possible statutory bases, so those claims survived; the plaintiffs
chose not to argue for the asserted bases in California law, so those
claims were dismissed with prejudice.

UCL Unfair

There are various tests for the UCL’s unfairness prong among California
courts, but Anthem I adopted the “balancing test” which requires courts to
“weigh the utility of the defendant’s conduct against the gravity of the
harm to the alleged victim.” The defense failed to address the balancing
test, despite the court’s having signaled that this was the applicable one.
The court referred to its own opinion in Adobe for the finding that data
protection is embedded in the public policy of California, and said acts
that are contrary to established public policy are presumptively unfair.

UCL Fraud

On the fraud prong of the UCL, the claims based on fraudulent omission
survived, but those based on affirmative misrepresentation were dismissed
with leave to amend.  As to misrepresentation, the plaintiffs failed to
plead reliance on the privacy policies except in a single conclusory
sentence.  Reliance on fraudulent omission is easier to plead because the
specificity rule is relaxed in the case of claims of fraudulent omission.

NY GBL 349

The court followed the Second Circuit, holding that claims under this
statute are not required to be pleaded with the specificity FRCP 9(B)
requires of fraud claims in general.  The defense acknowledged that the
analysis would be the same as for California UCL claims under the fraud
prong, so the GBL 349 omission claims survived (except as to the
governmental employees, who paid neither to the insurer nor the
administrator) while the misrepresentation claims were dismissed with leave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160808/b60133ca/attachment.html>