A recent federal court ruling against a bold motion by health plan Anthem Inc., which is fighting a consolidated class-action lawsuit in the wake of its massive data breach, spotlights some of the very complex questions that are at the center of many data breach cases.
See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations
Because there are so many large data breaches these days, how can an individual who potentially suffers identity theft or tax fraud ever know for sure the root cause of those crimes? Was it the Anthem breach, or perhaps one of the countless other breaches that have occurred in recent years? Perhaps the ID theft was even caused by a breach that occurred on a consumer's own computer.
That last argument was at the center of a recent request by Anthem's attorneys "for access to computers of former customers who accuse the insurance giant of failing to protect their personal information in an enormous data breach last year," reports Courthouse News Service.
Just to refresh your memory, a hacker attack on Anthem exposed the data of nearly 80 million current and former health plan members, the insurer revealed early in 2015. About 100 lawsuits against the company have been consolidated into one jumbo federal class-action case that's playing out in California.
Consumer Scrutiny?
Anthem recently filed a motion seeking permission "to access plaintiffs' computers, smartphones and tablets to image and copy them to determine whether the data breach or embedded malware was responsible for the potential harm that could include identity theft and tax problems," the news report says.
But in his oral ruling rejecting Anthem's request, U.S. District Judge Nathaniel Cousins told Anthem it was "ironic that the defense was seeking discovery of the plaintiff's personal information when the core allegations of the plaintiffs is the defense failed to protect them from damage to their personal information," according to Courthouse News Service.
An attorney representing Anthem in the class action suit declined to comment to Information Security Media Group on the ruling.
But attorney Eve Cervantez of the law firm Altshuler Berzon LLP, one of the lawyers representing plaintiffs in the case, tells me: "This is an important ruling for plaintiffs in this and other breach cases."
The court's decision - and Anthem's failed attempt at examining plaintiffs' computers - highlight some of the intricacies woven through many data breach class-action cases.
Where's the Proof?
"It is not uncommon in data breach cases for the defendant to question whether it is the cause of any harm to the plaintiff," notes privacy attorney Adam Greene of law firm David Wright Tremaine.
For instance, "just because a laptop was stolen or a system was hacked, does not mean that it will result in identity theft or other compensable harm," he says.
"Courts often will not award damages based on speculation of potential identity theft. Rather, a court may require evidence of causation; evidence that a particular breach caused the identity theft that caused a particular patient harm," he says. "As we have more data breaches, it becomes more challenging to trace a particular incident of identity theft back to a particular breach incident."
Privacy attorney Kirk Nahra of the law firm Wiley Rein, offers a similar perspective. "Remember, so many of these class-action cases involving security breaches get dismissed early on because there is no allegation of actual damages, which is an element of a complaint in most situations," he notes.
Anthem's tactic of trying to put a spotlight on the weaknesses of plaintiffs' own security practices "isn't common - yet - because most cases haven't gotten to a point where this issue [of ID theft or fraud] is yet relevant," he says.
Blame Game?
So, was Anthem trying to play the "blame the victim" game in requesting to examine plaintiffs' computers for malware or other security problems that could be the root of potential ID theft and tax problems?
"Here, the question is causation of harm," Nahra says. "I don't think it is a 'blame the victim' strategy, but at the same time, it is a very broad approach that may have an impact on lots of individuals," he says. "Given how many security breaches there are, and the fact that many people's information may be subject to multiple breaches, the question of 'cause and effect' is a real one."
Whether the courts will allow this kind of strategy is an open question - and this is one of the first cases to address it, Nahra says. "But, at the same time, if these class actions get beyond the initial stages, we are going to have to have some way of connecting the dots, as we would in any other kind of case making this kind of claims.
"The connection between an action and a harm always needs to made, even in the simplest of tort claims," Nahra notes. "This is just a high tech version of this issue that could involve lots of people."
So, was it fair game for Anthem to raise the question of whether plaintiffs' own weak security practices were potentially to blame for increased risk of ID theft and other crimes? Or was the motion nothing more than a very desperate ploy? I invite you to share your views in the space below.