Since health insurance giant Anthem Inc. announced millions of customers’ information had been stolen in a data breach, class-action lawsuits against the company have been filed in federal courts across the country.
Attorneys say the lawsuits are a way to provide a remedy for consumers and to hold the insurer accountable, but others say the complaints have an Achilles’ heel. Although the breach is unprecedented and consumers are fearful their identities will be stolen, the plaintiffs may not have been harmed according to the law.
Lawsuits that arise from data breaches are difficult to sustain, said Jeff Kosc, partner at Benesch Friedlander Coplan & Aronoff LLP. The biggest hurdle is to get standing since the injury has to be “certainly impending” and not characterized as a possibility in the future.
“Proving specific causation and tying it to a specific data breach, that’s difficult for the most knowledgeable security experts much less ‘Joe Consumer,’” Kosc said.
Mark Fryman Jr., attorney at Starr Austen & Miller LLP in Logansport, framed the question of harm in terms of whether plaintiffs are entitled to damages.
In order to obtain damages for poor credit, consumers would have to prove their credit troubles were caused by the Anthem breach. However, he contended the plaintiffs could be awarded damages for the time involved in protecting their credit as a result of the data leak. The judge and jury can put a value on the time consumers spent on the phone talking to creditors, monitoring their financial accounts, and making sure their credit is not compromised, he said.
Starr Austen & Miller has filed a class action against Anthem. All the lawsuits across the country are now being consolidated into multidistrict litigation.
The Anthem breach is considered the largest to date. It has been estimated to impact as many as 80 million consumers and includes the release of personal information like Social Security numbers, birth dates, street and email addresses, and health care ID numbers.
When announcing the breach in early February, Anthem characterized the cyberattack as “very sophisticated.” The company discovered the breach Jan. 29 and believes the attack started Dec. 10, 2014.
Before the Anthem breach, retailer Target Corp. had the biggest security breach in history. The store announced in January 2014 its system had been hacked and credit card and debit card information was stolen. Since then, other retailers have been hit, including Michaels Stores, Home Depot and Lowe’s along with the financial institution JPMorgan Chase.
“We’re going to keep seeing big breaches,” said Fred Cate, Indiana University Maurer School of Law professor. “I don’t think there’s any question.”
Threshold for injury
Cate, the founding director of IU’s Center for Applied Cybersecurity Research, does not think businesses realize they are vulnerable to hackers even when they see other companies get attacked. And, companies do not seem to regard a breach as big of a crisis as consumers do, he said.
Indeed, a report recently released from IU Maurer supports Cate’s perception. “The Emergence of Cybersecurity Law” shows that corporate counsel are more concerned about the potential for damage to the company’s reputation, loss of intellectual property, and regulatory action against the company after a breach than they are about potential lawsuits.
In a 2014 survey of corporate counsel conducted by Indiana Lawyer in partnership with Benesch, just 7 percent of respondents said managing risks of cybersecurity would be one of their top concerns this year.
Attorney Lynn Toops said companies know they are subject to cyberattacks but are not securing customer data.
Toops, an associate at Cohen & Malad, is part of the team working on the class action the firm has filed against Anthem. The goal of the lawsuit is to provide a “complete recovery” for the data breach victims and to send companies the message that they have to protect their consumers’ personal information, she said.
The hardest work may be convincing the courts the plaintiffs have suffered harm.
A recent ruling by the Supreme Court of the United States in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), is seen as establishing the threshold for lawsuits where the injury claimed is likely to be in the future.
There, the plaintiffs’ claim that the federal government’s surveillance program could harm them was rejected by the 5-4 majority which found future injury to be “too speculative to satisfy the well-established requirements that threatened injury must be ‘certainly impending.’” The court concluded the plaintiffs did not have standing to sue because they did not link a specific injury to the surveillance.
Still, the $3 million settlement in 2014 of a class action after the data breach of AvMed shows that plaintiffs can be successful. The plaintiffs argued unjust enrichment and maintained the insurance provider was supposed to use part of their premiums to protect their personal information.
Cohen & Malad managing partner Irwin Levin and William Riley, partner at Price Waicukauski & Riley LLC, which has also filed a class action against Anthem, said they sense a shift in the courts. Judges are better understanding the consequences consumers can suffer when their personal data is stolen.
They pointed to the January arguments before the 7th Circuit Court of Appeals in Remijas, et al. v. The Neiman Marcus Group LLC, 14-3122.
The complaint had been dismissed by the District Court on the grounds that shoppers who had their credit card numbers stolen were not injured since they would not be held accountable for any fraudulent charges. The 7th Circuit panel seemed sympathetic to the plaintiffs but a decision has yet to be handed down.
Of significance, the Anthem breach is different from the others in both the size of the loss and the kind of personal information taken. Levin said the affected individuals will have to live with the worry for decades.
“I can’t stress enough how alarming that is,” Toops said of the Anthem breach. “It was a massive data breach of 80 million Social Security numbers, unencrypted. All those Social Security numbers for 80 million consumers are now in the hands of thieves.”
In the 2015 legislative session, Indiana Attorney General Greg Zoeller is championing Senate Bill 413 which would strengthen the state’s laws on data collection and guarding information. Indiana already has laws limiting the disclosure of Social Security numbers by the state and provides for criminal penalties for unauthorized disclosures.
Companies that are breached are required to notify his office on the number of Hoosiers impacted. However, the attorney general said a national solution is needed. Data breaches are not seen at retailers in Europe because those countries do not permit companies to collect and store consumer Data. Likewise, Zoeller said, the U.S. government has to set the policy regarding the personal information of customers.
“I’m an advocate in favor of states’ authority,” Zoeller said, “but on something that’s a national problem, frankly a state attorney general is not going to be in a strong position to fix it.”
Levin and Riley agree the government should enact regulations to protect consumer information but they argue the courts have a role as well. The justice system has proven it can help those who suffer an injury, and it can be more nimble than legislatures at handling rapidly evolving technology, they said.
In addition, the pair said the class actions can hold companies accountable. If nothing is done to penalize businesses for mishandling data, the problem of data breaches is only going to compound.
Cate does not believe the lawsuits arising from the Anthem debacle will do much. The plaintiffs, he said, will have to show actual harm instead of alleging a possibility of harm in the future.
“There have been hundreds of these cases or more (after data breaches),” Cate said. “With only one or two exceptions, the consumer plaintiffs always lose.”
Information is power, Levin and Riley counter. And just having the consumers’ personal information out there is harm enough.
They are not dissuaded by the work ahead to prove injury.
“We’re hopeful Anthem will want to provide appropriate relief to our clients,” Levin said, “but we’re preparing for the long haul.”•