[BreachExchange] An Impossible Standard? Data Breach Defense Raises an Important Question

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 27 18:45:55 EDT 2017


http://www.corporatecomplianceinsights.com/an-impossible-standard/

Headline-grabbing data breaches at retailing, banking and media companies
have underscored the importance of cybersecurity and data privacy for those
involved in risk-management and corporate compliance. Back in January 2015,
the health care sector in particular was alarmed to learn that hackers had
broken into the IT system of Indianapolis-based health care giant Anthem
and made off with the personal data of as many as 80 million Americans.

But while data breaches might be PR nightmares, they are not necessarily
open-and-shut legal cases for plaintiffs. Standing can be an obstacle for
some plaintiffs, and class certification remains an obstacle that has yet
to be successfully overcome. Despite 12 years of litigation, in fact, no
court has yet certified a consumer data breach class. The aforementioned
Anthem case also highlights another question worth considering in these
suits — namely, whether plaintiffs are attempting to hold companies to
standards of data-privacy protection that are realistic or fair in today’s
cybersecurity environment.

By way of background, in January 2017, several plaintiffs in one of the
earliest-filed cases arising out of the Anthem data breach voluntarily
asked a judge in the Northern District of California to dismiss the
lawsuits they themselves had filed. The judge had ordered select plaintiffs
to comply with a discovery request by Anthem that required them to submit
their computers to an independent forensic examiner.

Anthem wanted to determine whether malware had caused data or credentials
to be stolen from the plaintiffs’ computers even before the breach of
Anthem’s systems. If that proved to be true, it would call into question
whether the plaintiffs’ alleged injuries had truly been caused by the
Anthem hack.

Legally, it isn’t surprising that Anthem should be entitled to this kind of
confidential information through discovery because it pertains to the issue
of causation. And yet it appears that certain plaintiffs dropped out of the
suit in order to avoid disclosing this possibly confidential information
via discovery. Arguably, the process might well have shown that these
plaintiffs’ data or credentials had been compromised prior to the Anthem
breach.

Some internet users are their own worst enemies with respect to data
privacy. They essentially take zero safety precautions to reduce the risk
that their personal information is not needlessly exposed. Instead of
checking the privacy policies of the websites they visit and “opting out”
of potentially invasive requests, they reflexively give permission to any
and all requests. People still use “password” as their password or fail to
take advantage of enhanced measures such as two-factor authentication.
Instead of checking free credit reports via services like Credit Karma,
they just assume their data has never been compromised.

Even U.S. intelligence agencies have been hacked. No organization, no
matter how large and no matter what security protocols are in place, is
immune from its systems being compromised. Thus, it is reasonable to ask
whether alleged damages in a data-breach case truly can be traced to a
given hack of a particular company or whether they stem from a prior breach
or multiple prior breaches of the plaintiff’s own computer.

Courts, for one, recognize the need to protect plaintiffs’ data privacy as
part of the discovery process. In the Anthem case, the court, having found
the information Anthem sought to be highly relevant, framed an order that
drastically limited the amount of information that could be culled from
forensic examination of the plaintiffs’ computers. The court also put in
place multiple and extensive measures that called for tightly controlled
access to the plaintiffs’ confidential information — so much so that one
could safely state that the degree of protection afforded to these
plaintiffs’ personal information in the course of the forensic examination
would actually have been greater than under most everyday circumstances.

Even with this heightened protection, certain plaintiffs balked. As a
result, one has to wonder whether they had reasonable expectations
regarding their personal privacy to begin with. In suing Anthem, were they
seeking to hold the company to an almost impossible standard?

It’s a question that could prove useful for other firms as they seek to
defend themselves in data breach cases.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170327/b9c01444/attachment.html>


More information about the BreachExchange mailing list