Headline-grabbing data breaches at retailing, banking and media companies have underscored the importance of cybersecurity and data privacy for those involved in risk-management and corporate compliance. Back in January 2015, the health care sector in particular was alarmed to learn that hackers had broken into the IT system of Indianapolis-based health care giant Anthem and made off with the personal data of as many as 80 million Americans.
But while data breaches might be PR nightmares, they are not necessarily open-and-shut legal cases for plaintiffs. Standing can be an obstacle for some plaintiffs, and class certification remains an obstacle that has yet to be successfully overcome. Despite 12 years of litigation, in fact, no court has yet certified a consumer data breach class. The aforementioned Anthem case also highlights another question worth considering in these suits — namely, whether plaintiffs are attempting to hold companies to standards of data-privacy protection that are realistic or fair in today’s cybersecurity environment.
By way of background, in January 2017, several plaintiffs in one of the earliest-filed cases arising out of the Anthem data breach voluntarily asked a judge in the Northern District of California to dismiss the lawsuits they themselves had filed. The judge had ordered select plaintiffs to comply with a discovery request by Anthem that required them to submit their computers to an independent forensic examiner.
Anthem wanted to determine whether malware had caused data or credentials to be stolen from the plaintiffs’ computers even before the breach of Anthem’s systems. If that proved to be true, it would call into question whether the plaintiffs’ alleged injuries had truly been caused by the Anthem hack.
Legally, it isn’t surprising that Anthem should be entitled to this kind of confidential information through discovery because it pertains to the issue of causation. And yet it appears that certain plaintiffs dropped out of the suit in order to avoid disclosing this possibly confidential information via discovery. Arguably, the process might well have shown that these plaintiffs’ data or credentials had been compromised prior to the Anthem breach.
Some internet users are their own worst enemies with respect to data privacy. They essentially take zero safety precautions to reduce the risk that their personal information is not needlessly exposed. Instead of checking the privacy policies of the websites they visit and “opting out” of potentially invasive requests, they reflexively give permission to any and all requests. People still use “password” as their password or fail to take advantage of enhanced measures such as two-factor authentication. Instead of checking free credit reports via services like Credit Karma, they just assume their data has never been compromised.
Even U.S. intelligence agencies have been hacked. No organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised. Thus, it is reasonable to ask whether alleged damages in a data-breach case truly can be traced to a given hack of a particular company or whether they stem from a prior breach or multiple prior breaches of the plaintiff’s own computer.
Courts, for one, recognize the need to protect plaintiffs’ data privacy as part of the discovery process. In the Anthem case, the court, having found the information Anthem sought to be highly relevant, framed an order that drastically limited the amount of information that could be culled from forensic examination of the plaintiffs’ computers. The court also put in place multiple and extensive measures that called for tightly controlled access to the plaintiffs’ confidential information — so much so that one could safely state that the degree of protection afforded to these plaintiffs’ personal information in the course of the forensic examination would actually have been greater than under most everyday circumstances.
Even with this heightened protection, certain plaintiffs balked. As a result, one has to wonder whether they had reasonable expectations regarding their personal privacy to begin with. In suing Anthem, were they seeking to hold the company to an almost impossible standard?
It’s a question that could prove useful for other firms as they seek to defend themselves in data breach cases.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Chad Mandell, a veteran business litigator, focuses his practice on intellectual property and technology. He is a partner in the Los Angeles office of national law firm LeClairRyan and can be reached at firstname.lastname@example.org.