Anthem defense in data-breach case questions plaintiffs’ privacy expectations

Lawsuits raise question of whether data protection is held to an unreasonably high standard

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The health care sec­tor was alarmed in Jan­u­ary 2015 to learn that hack­ers had bro­ken into the IT sys­tem of Anthem and made off with the per­son­al data of as many as 80 mil­lion Amer­i­cans.

For those who were only casu­al­ly famil­iar with the tech­ni­cal side of data pri­va­cy and cyber­se­cu­ri­ty, it was easy to read the head­line and assume that the Indi­anapo­lis-based health care giant had com­mit­ted some egre­gious act of neg­li­gence.

How­ev­er, it bears remem­ber­ing that even U.S. intel­li­gence agen­cies have suf­fered major hacks, as the data dump from Wik­iLeaks last March amply illus­trat­ed. WikiLeaks—recently lam­bast­ed as a threat to U.S. nation­al secu­ri­ty by CIA Direc­tor Mike Pompeo—published juicy details of mal­ware and hack­ing tools the CIA can use to hack into smart TVs as well as iPhones and Android-based devices.

Orga­ni­za­tions can put in place best-in-class cyber­se­cu­ri­ty infra­struc­ture, but the weak point is often human behavior—an employ­ee who falls for a phish­ing scam and clicks on the wrong link, or an exec­u­tive who inserts a thumb dri­ve sup­plied by a “ven­dor” (in truth, a hack­ing group’s accom­plice) and com­pro­mis­es ter­abytes of com­pa­ny data.

Relat­ed sto­ry: Say so long to your data pri­va­cy under Trump FCC’s new rules

Patients and con­sumers are peo­ple, too, and their behav­ior with respect to pro­tect­ing even their own per­son­al data is regret­tably lax. Indeed, some inter­net users are their own worst ene­mies with respect to data pri­va­cy.

Few take pre­cau­tions

They essen­tial­ly take zero safe­ty pre­cau­tions to reduce the risk that their per­son­al infor­ma­tion is not need­less­ly exposed. Instead of check­ing the pri­va­cy poli­cies of the web­sites they vis­it and “opt­ing out” of poten­tial­ly inva­sive requests, they reflex­ive­ly give per­mis­sion to any and all requests. Peo­ple still use “pass­word” as their pass­word or fail to take advan­tage of enhanced mea­sures such as two-fac­tor authen­ti­ca­tion. One could go on.

Thus, lawyers in the Anthem case asked a smart ques­tion as part of their defense strat­e­gy. In a nut­shell, they want­ed to find out whether mal­ware had caused data or cre­den­tials to be stolen from the plain­tiffs’ com­put­ers even before the breach of Anthem’s sys­tems. If that proved to be true, it would call into ques­tion whether the plain­tiffs’ alleged injuries had tru­ly been caused by the Anthem hack.

Pre­vi­ous breach­es?

Know­ing what we do about social engi­neer­ing, it is rea­son­able to ask whether alleged dam­ages (iden­ti­ty theft, a destroyed cred­it rat­ing, etc.) can be traced to a giv­en hack of a par­tic­u­lar com­pa­ny or whether, instead, they actu­al­ly stem from pri­or breach­es of the plaintiff’s own com­put­er.

Ear­li­er this year, after Anthem’s defense team pur­sued this ques­tion, some­thing sur­pris­ing hap­pened: Sev­er­al plain­tiffs vol­un­tar­i­ly asked the judge to dis­miss the claims they had filed. The judge had ordered the plain­tiffs to com­ply with Anthem’s dis­cov­ery request and sub­mit their com­put­ers to an inde­pen­dent foren­sic exam­in­er.

Plain­tiffs call it quits

It appears that cer­tain plain­tiffs dropped out of the suit in order to avoid giv­ing the court access to their com­put­ers and data, despite strict pro­to­cols put in place to pro­tect plain­tiffs’ data pri­va­cy. Indeed, it is no exag­ger­a­tion to say that the degree of pro­tec­tion afford­ed to these plain­tiffs’ per­son­al infor­ma­tion in the course of the foren­sic exam­i­na­tion would have been greater than under every­day cir­cum­stances.

Even with this height­ened pro­tec­tion, though, some of the plain­tiffs balked. As a result, one has to won­der whether they had rea­son­able expec­ta­tions regard­ing their per­son­al pri­va­cy to begin with. In suing Anthem, were they seek­ing to hold the com­pa­ny to an almost impos­si­ble stan­dard? It’s a ques­tion that could prove use­ful for oth­er firms as they seek to defend them­selves in data breach cas­es.

More sto­ries relat­ed to pri­va­cy:
Con­sumers becom­ing more pro­tec­tive of their pri­va­cy
15 mil­lion rea­sons to have a web­site pri­va­cy notice
Per­son­al­ized health care car­ries pri­va­cy, secu­ri­ty risks