Anthem defense in data-breach case questions plaintiffs’ privacy expectations
Lawsuits raise question of whether data protection is held to an unreasonably high standard
By Chad M. Mandell, Special to ThirdCertainty
The health care sector was alarmed in January 2015 to learn that hackers had broken into the IT system of Anthem and made off with the personal data of as many as 80 million Americans.
For those who were only casually familiar with the technical side of data privacy and cybersecurity, it was easy to read the headline and assume that the Indianapolis-based health care giant had committed some egregious act of negligence.
However, it bears remembering that even U.S. intelligence agencies have suffered major hacks, as the data dump from WikiLeaks last March amply illustrated. WikiLeaks—recently lambasted as a threat to U.S. national security by CIA Director Mike Pompeo—published juicy details of malware and hacking tools the CIA can use to hack into smart TVs as well as iPhones and Android-based devices.
Organizations can put in place best-in-class cybersecurity infrastructure, but the weak point is often human behavior—an employee who falls for a phishing scam and clicks on the wrong link, or an executive who inserts a thumb drive supplied by a “vendor” (in truth, a hacking group’s accomplice) and compromises terabytes of company data.
Related story: Say so long to your data privacy under Trump FCC’s new rules
Patients and consumers are people, too, and their behavior with respect to protecting even their own personal data is regrettably lax. Indeed, some internet users are their own worst enemies with respect to data privacy.
Few take precautions
They essentially take zero safety precautions to reduce the risk that their personal information is not needlessly exposed. Instead of checking the privacy policies of the websites they visit and “opting out” of potentially invasive requests, they reflexively give permission to any and all requests. People still use “password” as their password or fail to take advantage of enhanced measures such as two-factor authentication. One could go on.
Thus, lawyers in the Anthem case asked a smart question as part of their defense strategy. In a nutshell, they wanted to find out whether malware had caused data or credentials to be stolen from the plaintiffs’ computers even before the breach of Anthem’s systems. If that proved to be true, it would call into question whether the plaintiffs’ alleged injuries had truly been caused by the Anthem hack.
Knowing what we do about social engineering, it is reasonable to ask whether alleged damages (identity theft, a destroyed credit rating, etc.) can be traced to a given hack of a particular company or whether, instead, they actually stem from prior breaches of the plaintiff’s own computer.
Earlier this year, after Anthem’s defense team pursued this question, something surprising happened: Several plaintiffs voluntarily asked the judge to dismiss the claims they had filed. The judge had ordered the plaintiffs to comply with Anthem’s discovery request and submit their computers to an independent forensic examiner.
Plaintiffs call it quits
It appears that certain plaintiffs dropped out of the suit in order to avoid giving the court access to their computers and data, despite strict protocols put in place to protect plaintiffs’ data privacy. Indeed, it is no exaggeration to say that the degree of protection afforded to these plaintiffs’ personal information in the course of the forensic examination would have been greater than under everyday circumstances.
Even with this heightened protection, though, some of the plaintiffs balked. As a result, one has to wonder whether they had reasonable expectations regarding their personal privacy to begin with. In suing Anthem, were they seeking to hold the company to an almost impossible standard? It’s a question that could prove useful for other firms as they seek to defend themselves in data breach cases.