[BreachExchange] The Anthem Breach – A Retrospective

Thu Jan 19 19:32:10 EST 2017

http://www.jdsupra.com/legalnews/the-anthem-breach-an-retrospective-58445/

Many people and news outlets have opined, weighed in, and informed the
public about the 2015 Anthem breach. It is still a hot topic in January
2017, because it currently lines up with other hot stories about hacking
ordered by foreign governments.  But even before the Anthem breach was
linked to one of the biggest issues of the 2016 election cycle, it was an
important data incident, for several reasons

Why was the Anthem breach important at that time?

The Anthem breach was notable because it was the first major data breach
that potentially involved protected health information. Media coverage
about the breach in 2015 reported that that personal information of
affected individuals was apparently sitting on Anthem’s servers
unencrypted.  Encryption of PHI at rest (i.e. data that is not moving) is a
much more common data security practice in 2017, in part because of the
lessons learned from the Anthem breach. Some laws now even require personal
information to be encrypted when at rest.

Another novelty at the time was a tactic employed by the hackers in the
Anthem breach.  When Anthem first learned of breach, it emailed affected
individuals saying it would send follow-up emails with more information and
next steps. On its face, this seemed like the fastest way to inform the
affected individuals.  But before Anthem followed up, the hackers used the
data trail and content from the initial e-mail as a ruse to scam impacted
data subjects into providing even more sensitive personal information.
Again, this provided a valuable lesson for the future, to Anthem and other
companies impacted by hacker-caused data breaches.

The class-actions filed in the wake of Anthem survived commonly asserted
“lack of standing” defense.

About a hundred lawsuits filed against Anthem in the wake of the breach
were consolidated into one federal class-action case in California. Some
claims were asserted under California law, which is much more sympathetic
to a consumers’ right to privacy than some other states. Usually, a
threshold issue in any data breach class action is the issue of “standing,”
which is raised early, at the motion to dismiss stage.  In order to
overcome this challenge, the plaintiffs’ complaint must sufficiently allege
actual harm suffered because of the breach.  Many a data breach class
action has failed this test and been thrown out before the discovery stage.

Anthem filed a motion to dismiss, but the judge rejected it. In 2015, this
result was not very common.  In fact, it’s still not very common, but
plaintiffs are getting better and more sophisticated at alleging actual
harm sufficient to beat back a standing challenge.  The denial of Anthem’s
motion to dismissed caused people to take notice.

In fact, the Anthem case is continuing, long after the stage where the
average data breach case is thrown out, and it is well into discovery.
But, the class has still not been certified.  Class certification remains
an obstacle that has yet to be successfully dodged in any data breach class
action case.   Despite 12 years of litigation over data breaches, no court
has yet certified a consumer breach class.

What role did the affected individuals play in the breach?

Perhaps there is a visceral reaction when a company like Anthem gets hacked
and personally identifiable information is exposed.   Perhaps that reaction
is justified.  But what personal behaviors do consumers engage in both
offline and online to enhance the likelihood that a wrongdoer can
compromise personally identifiable data?  Some Internet users are their own
worst enemies in this regard.

Consumers should not assume that they cannot or will not be affected by a
data breach. Every consumer should regularly take safety precautions to
reduce the risk that their personal information is not needlessly exposed.
For instance, they should regularly check the privacy policies of the
websites they visit.  If they aren’t comfortable with the information
collection practices of a company they do business with, they should either
“opt-out” or vote with their feet by choosing another company with which to
do business.  They should also regularly check their free credit reports
through services like Credit Karma.

The Anthem breach also should have served as a reminder of a very important
fact: no organization, no matter how large and no matter what security
protocols are in place, is immune from its systems being compromised.
Continued vigilance by entities that store personally identifiable
information, as well as by consumers who often willingly provide it, are
necessary to minimize the potential for harm that can result from its
misuse.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170119/1f692640/attachment.html>