[BreachExchange] Anthem to data breach victims: Maybe the damages are your own darned fault

[Richard Forno]

Trusted Third Party
By Tim Greene, Senior Editor, Network World | Apr 10, 2017 10:24 AM PT

Anthem to data breach victims: Maybe the damages are your own darned fault

http://www.networkworld.com/article/3187522/security/anthem-to-data-breach-victims-maybe-the-damages-are-your-own-darned-fault.html

Insurance giant Anthem has effectively scared off possible victims of a 2015 data breach by asking to examine their personal computers for evidence that their own shoddy security was to blame for their information falling into the hands of criminals.

Some of the affected Anthem customers sued for damages they say resulted from the breach but then withdrew their suits after Anthem got a court order allowing the exams.

The examiners would be looking only for evidence that their credentials or other personal data had been stolen even before the Anthem hack ever took place, according to a blog by Chad Mandell, an attorney at LeClairRyan.

“If that proved to be true, it would call into question whether the plaintiffs’ alleged injuries had truly been caused by the Anthem hack,” he writes. In other words,they failed to properly secure their personal devices, so the damages they suffered might have been their own fault, not Anthem’s.

After the forensic exams were ordered, several of those who filed suit asked the judge to drop  their complaints, either because they suspected Anthem would find evidence the data was lost before the breach or because they didn’t want to submit to having their PCs snooped. Or perhaps they just didn’t want the inconvenience of giving up use of their machines for the duration of the search.

Regardless, it proved an effective legal strategy for Anthem. If just a few of those who sue walk away, it still means fewer possible payouts.

And it points out how difficult it is to prove that personal data used by criminals was stolen in a particular breach. Yes, the victim’s information was exploited, but how it got into the hands of the criminals is not so easily determined.

It might be argued that seeking forensic analysis of victim’s computers could help set a lower bar for corporate security. Why should a company offer stronger protection for their customers than the customers provide for themselves? Given that not all customers practice poor cyber defense of their own computers, that argument probably won’t fly.

But as Mandell notes, those customers who demanded perfect security from Anthem might have been asking too much. “As a result, one has to wonder whether they had reasonable expectations regarding their personal privacy to begin with,” he writes. “In suing Anthem, were they seeking to hold the company to an almost impossible standard?”