As businesses and consumers seek to protect themselves from hackers, they should weigh lessons from the 2015 data breach of healthcare firm Anthem, advise veteran data privacy and cybersecurity attorneys from national law firm LeClairRyan.
The Russian hacking of the presidential election highlights that other well-known commercial data breaches were also likely caused by foreign state actors, write Janine A. Bowen and John P. Hutchins, in a recent post at LeClairRyan’s “Information Counts” blog. They are part of the firm’s Cyber Security, Data Privacy and Security Law practice team and are both shareholders in LeClairRyan’s Atlanta office.
On Jan. 29, 2015, Indianapolis-based Anthem learned that hackers had breached its IT system and reportedly made off with the personal data of as many as 80 million Americans.
In the post (“The Anthem Breach—A Retrospective”), Bowen and Hutchins write that the Anthem breach contained some lessons that could help other businesses better respond to such a crisis.
“When Anthem learned of the breach, it quickly notified affected individuals by e-mail and through public announcements, saying it would send follow-up information about next steps. This speedy notification was lauded by many as a best practice. But in the wake of Anthem’s public announcements, scammers sent fake e-mails to untold thousands of Anthem members and former members, which appeared to be from the company, as a ruse to scam impacted data subjects into providing additional sensitive personal information.”
On the legal front, meanwhile, the class-action lawsuits filed in the wake of the Anthem breach survived the commonly asserted “lack of standing” defense. “Usually, a threshold issue in any data breach class action is the issue of ‘standing,’ which is raised early at the motion-to-dismiss stage,” the attorneys write. “In order to overcome this challenge, the plaintiffs’ complaint must sufficiently allege actual harm suffered because of the breach. Many a data breach class action has failed this test and been thrown out before the discovery stage.”
When Anthem filed a motion to dismiss, however, the judge rejected it—an uncommon result at the time. The takeaway? “Plaintiffs are getting more sophisticated at alleging actual harm sufficient to beat back a standing challenge,” Bowen and Hutchins explain in the post.
Fortunately for businesses, class certification remains an obstacle that has yet to be successfully dodged in any data breach case. (The Anthem case is still in discovery.) “Despite 12 years of litigation over data breaches, no court has yet certified a consumer breach class,” the attorneys write.
The Anthem breach also highlights the role of consumer behavior in contributing to data breaches. “Some Internet users are their own worst enemies in this regard,” write Bowen and Hutchins. “Consumers should not assume that they cannot or will not be affected by a data breach. Every consumer should regularly take safety precautions to reduce the risk that their personal information is not needlessly exposed.”
For instance, they should regularly check the privacy policies of the websites they visit and, if they don’t like what they see, “opt-out” or choose another company with which to do business, the attorneys write. In the post, they also encourage consumers to regularly check free credit reports via services like Credit Karma.
“The Anthem breach also should have served as a reminder of a very important fact: no organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised,” Hutchins and Bowen write in the conclusion to the piece. “Continued vigilance by entities that store personally identifiable information and by consumers who often willingly provide it is necessary to minimize the potential for harm that can result from its misuse.”
Read the full blog post