The Anthem Breach – A Retrospective (Part II)

We published Part I of our “Anthem Breach Retrospective” in January 2017.  Coincidentally, at around the same time several plaintiffs in one of the earliest filed cases arising out of the Anthem data breach voluntarily asked a judge in the Northern District of California to dismiss their lawsuits. The requests for dismissal came after Judge Cousins ordered select plaintiffs to comply with a discovery request by Anthem, requiring them to submit their computers to an independent forensic examiner to determine whether malware caused data or credentials to be stolen from the plaintiffs’ computers even before the breach of Anthem’s systems. In other words, Anthem wanted to know whether someone else caused the plaintiffs’ alleged injuries.

Legally, it isn’t surprising that Anthem should be entitled to this kind of information through discovery because it pertains to the issue of causation. Anthem wanted to know if the plaintiffs’ personal information was compromised under circumstances having nothing to do with Anthem, months before the Anthem breach. In discovery, it was fair game for Anthem to seek to compel these plaintiffs to comply with its request – even if it requires the disclosure of confidential information. But, it appears that at least one of these plaintiffs dropped out of the suit because he did not wish to disclose possibly confidential information in a lawsuit where he is suing because of alleged negligence with respect to confidential information.

Yet, confidential information is routinely disclosed in all kinds of lawsuits. When organizations sue alleging their trade secrets were stolen, confidential information regarding the organization’s protection protocols are relevant and discoverable by the defendant. The defendant will want to know whether the allegedly misappropriated trade secret was really treated as a secret. In almost every action where the plaintiff seeks lost profits (such as where the plaintiff alleges that it lost profits due to libelous statements or false advertising) it is axiomatic that the plaintiff needs to turn over financial records, e.g. profit-loss statements, which are typically confidential.  If a personal injury plaintiff alleges he can’t work due to a car accident, the defendant is entitled to examine the plaintiff’s medical records to determine whether a previous medical condition is the true cause of the plaintiff’s disability.

That doesn’t mean it’s a free-for-all. If it is true that parties in litigation have to disclose confidential information to the opposing party, then it is often equally true that the amount of information disclosed, and to whom, is limited and controlled. To use the previous examples, a company claiming lost profits may only need to turn over profit-loss statements regarding the product that was libeled. The personal injury plaintiff may only have to disclose medical information as to the body part that was injured. And in all cases, a court order may set forth protocols to ensure that confidential information is not accidently disclosed to the public. For example, in some cases, only the opposing party’s attorneys and experts are permitted to lay eyes on confidential information, particularly if the parties are competitors and the confidential information gives one party a competitive advantage over the other.

The litigation concerning the Anthem breach is no different. The court, having found the information Anthem seeks to be highly relevant, framed an order that drastically limited the amount of information that could be culled from forensic examination of the plaintiffs’ computers. The court also put in place measures that called for tightly controlled access to the plaintiffs’ confidential information. For example, per the court’s order:

• Only a select number of plaintiffs would be subject to the forensic examination;

• Handheld devices were ordered excluded from the examination;

• The forensic examinations would be conducted by “expert Independent Forensic Examiners,” chosen by the plaintiffs;

• The expert forensic examiners would have the capacity to conduct the entire examination, ensuring that the plaintiffs’ information would not be passed around, from one examining entity to another;

• The examinations would be conducted in accordance with industry standards set forth in NIST procedures and protocols, and would be conducted for the limited purpose of identifying malware or malicious files, and if such files were found, for purposes of identifying when those files were installed and whether data or credentials were stolen;

• Specialized industry-standard software would be used for the examination to ensure that there would be no damage to the integrity of the forensic images or to the plaintiffs’ devices and their operating systems;

• Neither Anthem nor its experts would be provided with the plaintiffs’ devices or forensic images of those devices;

• Anthem would only be permitted to review a report generated by the independent forensic examiner; the report was ordered to be provided in an industry-standard encrypted format, with the decryption key provided through separate means; and

• The report would be destroyed at the end of the litigation, and the forensic images would be destroyed in accordance with forensic industry standards at the conclusion of the independent forensic examiners’ analysis.

The judge in this case sits in the heart of Silicon Valley and obviously knows how to take steps aimed at ensuring that the plaintiffs’ personal information is not stolen in the course of discovery. One would expect that the independent forensic examiner selected by the plaintiffs would also know how to responsibly handle the plaintiffs’ information. And in this instance, as in many cases, there is a court order in place for added data security. One can safely state that the degree of protection afforded to these plaintiffs’ personal information in the course of the forensic examination will be greater than under most everyday circumstances. Thus, when the plaintiffs ask the court to dismiss their lawsuit because they are concerned about releasing their computers, given this heightened protection in place, one has to wonder whether the plaintiffs had reasonable expectations regarding their personal privacy to begin with, and whether, in suing Anthem, they are seeking to hold Anthem to an almost impossible standard. It’s a good thing for businesses that are charged with responsibility for protecting personal information they hold in the course of their business that these particular plaintiffs are not the judge of what level of data security meets the test of reasonableness.