Thursday, January 28, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

An Impossible Standard?

by Chad Mandell
March 27, 2017
in Data Privacy, Featured
marquis outside Anthem world headquarters

Data Breach Defense Raises an Important Question

Data breaches can be PR nightmares for sure. But are they really open-and-shut cases for plaintiffs? In one high-profile case, the defense team focused on some smart questions, including whether plaintiffs were trying to hold the company to realistic standards in today’s cybersecurity environment.

Headline-grabbing data breaches at retailing, banking and media companies have underscored the importance of cybersecurity and data privacy for those involved in risk-management and corporate compliance. Back in January 2015, the health care sector in particular was alarmed to learn that hackers had broken into the IT system of Indianapolis-based health care giant Anthem and made off with the personal data of as many as 80 million Americans.

But while data breaches might be PR nightmares, they are not necessarily open-and-shut legal cases for plaintiffs. Standing can be an obstacle for some plaintiffs, and class certification remains an obstacle that has yet to be successfully overcome. Despite 12 years of litigation, in fact, no court has yet certified a consumer data breach class. The aforementioned Anthem case also highlights another question worth considering in these suits — namely, whether plaintiffs are attempting to hold companies to standards of data-privacy protection that are realistic or fair in today’s cybersecurity environment.

By way of background, in January 2017, several plaintiffs in one of the earliest-filed cases arising out of the Anthem data breach voluntarily asked a judge in the Northern District of California to dismiss the lawsuits they themselves had filed. The judge had ordered select plaintiffs to comply with a discovery request by Anthem that required them to submit their computers to an independent forensic examiner.

Anthem wanted to determine whether malware had caused data or credentials to be stolen from the plaintiffs’ computers even before the breach of Anthem’s systems. If that proved to be true, it would call into question whether the plaintiffs’ alleged injuries had truly been caused by the Anthem hack.

Legally, it isn’t surprising that Anthem should be entitled to this kind of confidential information through discovery because it pertains to the issue of causation. And yet it appears that certain plaintiffs dropped out of the suit in order to avoid disclosing this possibly confidential information via discovery. Arguably, the process might well have shown that these plaintiffs’ data or credentials had been compromised prior to the Anthem breach.

Some internet users are their own worst enemies with respect to data privacy. They essentially take zero safety precautions to reduce the risk that their personal information is not needlessly exposed. Instead of checking the privacy policies of the websites they visit and “opting out” of potentially invasive requests, they reflexively give permission to any and all requests. People still use “password” as their password or fail to take advantage of enhanced measures such as two-factor authentication. Instead of checking free credit reports via services like Credit Karma, they just assume their data has never been compromised.

Even U.S. intelligence agencies have been hacked. No organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised. Thus, it is reasonable to ask whether alleged damages in a data-breach case truly can be traced to a given hack of a particular company or whether they stem from a prior breach or multiple prior breaches of the plaintiff’s own computer.

Courts, for one, recognize the need to protect plaintiffs’ data privacy as part of the discovery process. In the Anthem case, the court, having found the information Anthem sought to be highly relevant, framed an order that drastically limited the amount of information that could be culled from forensic examination of the plaintiffs’ computers. The court also put in place multiple and extensive measures that called for tightly controlled access to the plaintiffs’ confidential information — so much so that one could safely state that the degree of protection afforded to these plaintiffs’ personal information in the course of the forensic examination would actually have been greater than under most everyday circumstances.

Even with this heightened protection, certain plaintiffs balked. As a result, one has to wonder whether they had reasonable expectations regarding their personal privacy to begin with. In suing Anthem, were they seeking to hold the company to an almost impossible standard?

It’s a question that could prove useful for other firms as they seek to defend themselves in data breach cases.


Previous Post

New York DFS Finalized Cybersecurity Regulations Take Effect

Next Post

Resilient: Jim Moroney on Leading Through Disruption

Chad Mandell

Related Posts

hand holding multicolored balloons outside

Happy Data Privacy Day!

January 28, 2021
dollar bill, stimulus check, american flag

FCA Compliance in an Era of Unprecedented Government Stimulus

January 28, 2021
open padlock on red binary background

Mitigating Legal and Reputational Risk Post-Ransomware

January 28, 2021
invisible man in black on neutral background

The Curious Absence of Corporate Monitors

January 27, 2021
Next Post
Resilient: Jim Moroney on Leading Through Disruption

Resilient: Jim Moroney on Leading Through Disruption

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights