The legal wrangling over whether data breaches cause harm to consumers got even more complicated this week, following a District Court ruling against the health insurer Anthem.
In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York’s General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February, 2015, The Recorder reported this week.
Image via David McNew/Getty Images.
The decision, if upheld, would kick one leg out from the stool upon which breached corporations have rested their defense against consumer class action lawsuits. Namely: that consumers can’t prove that any harm was done to them as a result of having their personal or financial information stolen.
That has become a common refrain around the country, as this blog has noted. One example: attorneys working for home improvement giant Home Depot asked a federal court in Atlanta to dismiss that suit, claiming that the consumers behind it could not prove they were damaged by a breach of that company’s payment systems in 2014.
"All of the claims alleged in the complaint suffer from the same fatal defect found in the vast majority of other breach cases ... they have suffered no actual or imminent economic injury that is fairly traceable to Home Depot's alleged conduct," the company said in a filing, according to a report in the Atlanta Business Chronicle. That case is still being considered.
Under U.S. law, consumers are not liable for losses due to fraudulent credit card purchases, limiting the economic damage. And linking incidents of financial crimes like identity theft to stolen data from a specific source is difficult. Still, consumer advocates say that the damage to affected consumers stemming from breaches is easy enough to spot.
Judge Koh has weighed in on questions about whether data breaches constitute a kind of “injury” before. In 2014, she found that customers of Adobe Systems Inc. faced a credible threat of injury from a 2013 breach of 38 million customers' data. Some of the personal information exposed in that breach had already been published on the Internet.
Whether or not harm has occurred to plaintiffs is critical for courts to decide whether the plaintiff has a right – or “standing” – to sue in the first place. But proving that data exposed in a breach has actually been used for fraud is notoriously difficult.
In her decision in the Anthem case, Koh reasoned that the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven. Allegations of a “concrete and imminent threat of future harm" are enough to establish an injury and standing in the early stages of a breach suit, she said.
Digital Guardian’s blog will continue following this case and others related to data breaches as they move through the courts. Stay tuned!
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.