In the wake of Anthem's massive data breach, a storm of class action lawsuits are raising concerns about information protection, liability and regulation.
Less than a day after Anthem announced that cyber hackers accessed the records of some 80 million past and present customers, the class action lawsuits started coming in Alabama, California and the home state of the insurer's Indianapolis headquarters.
Disclosing the hack and an ongoing investigation, Anthem CEO Joseph Swedish said the breach covered data on customers' names, birthdays, health plan identification numbers, social security numbers, addresses, email addresses, employment information and income -- including Swedish and other employees' own personal data.
But, he said in an online letter to customers, "there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."
Lawyers for the Anthem customers who are suing, though, believe the damage could extend to medical and financial information. "Given Anthem's carefully worded and conclusory notice," customers' medical information and banking and credit information were likely compromised, they argue.
A complaint in California on behalf of an Anthem Blue Cross member argues that the company violated a number of state and federal laws by breaching its "duty to safeguard (members' personal) information properly and maintain reasonable security procedures and practices." Anthem is offering free credit monitoring and identity protection services and warning of email "phishing" scams, but has not yet responded to the lawsuits.
All of the lawsuits attempt to hold Anthem to a strict liability standard, that if confidential information was stolen from Anthem's databases, the company is guilty of a failure to exercise reasonable care, explain Mintz Levin attorneys Cynthia Larose and Kevin M. McGinty.
State data breach notification laws generally require "reasonably prompt" disclosure to those affected. And, as Larose and McGinty note, what is reasonable will vary by the context.
How far the lawsuits will go in terms of any payouts remains to be seen, probably well into the future -- joining yet-to-be resolved consumer data breach suits against Home Depot and Target. "Whenever a data breach is announced, as night follows day, lawsuits will follow," Larose and McGinty write.
But whether or not Anthem ends up having to make settlement payments, the massive hack may spur regulatory changes at the state or national level, perhaps through the largest, most progressive state.
California, like others, currently requires businesses to use "reasonable" customer data protection, but does not define methods that are reasonable.
"While this lack of specificity benefits companies that wish to be creative and innovative, it presents a challenge to those seeking a more definitive standard," argue Nossaman attorneys Janice Mock and Jill N. Jaffe in a Lexology post.
"Companies can surely count on the fact that the 'reasonable' standard will become more stringent and what has typically been considered 'reasonable' may no longer be enough," Mock and Jaffe write.
"Stricter requirements may be pushed through the legislature," they write, and the courts "will undoubtedly be asked to decide whether the status quo is sufficient, and to further define what 'reasonable' really means."
California was the first state to enact breach notification requirements in 2002, and has consumer privacy standards that kind of resemble European regulatory approaches. Since 2005, California's "Shine the Light" law has required companies to disclose practices of sharing consumers' personal data with third parties, and the state recently established a "right to be forgotten" online for youth to be able to remove content they post online.
Photo credit: David Iliff.
