Plaintiffs in In re Anthem Data Breach Litigation got a nice Valentine’s Day gift from District Judge Lucy H. Koh on Sunday: an 82-page opinion allowing their claims to move forward. (Download the full opinion here: Op-In-re-Anthem-Data-Breach.pdf.) Here’s the background: One year ago, Anthem, a large health insurance company, disclosed that hackers accessed a database containing up to 80 million customer records, including names, birth dates and Social Security numbers. Over one hundred class action lawsuits ensued, which were consolidated before Judge Koh in San Jose, CA.
In its motion to dismiss Anthem argued that, due to the proliferation of data breaches in recent years, the plaintiffs cannot show this particular breach was the source of any harm. Judge Koh soundly rejected that argument, reasoning that ruling in Anthem’s favor would create a “perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable.”
Instead, Judge Koh ruled, inter alia, that the loss of personal information, in and of itself, constitutes a harm under certain consumer protection laws, including New York’s (NY GBL § 349). She also ruled that the California Unfair Competition Law permits recovery of profits realized due to unduly lax security measures, such that California plaintiffs may proceed on the theory that they overpaid for insurance.
The ruling is consistent with, and builds upon, on Judge Koh’s analysis in In re Adobe Systems Privacy Litigation, a large data breach case where she denied Adobe’s motion to dismiss, finding that the plaintiffs plausibly alleged “a concrete and imminent threat of future harm.”
This is a big win for the plaintiffs and their lawyers, partly because of the likelihood of decent settlements. (Many consumer protection laws, including NY GBL § 349, provide for recovery of attorney fees, which will factor into the negotiations.)
Anthem joins Target, Neiman Marcus, Sony, and Adobe as a leading data breach case surviving dismissal. Stacked against these are, e.g., Zappos, Barnes & Noble, Michael’s Stores, and eBay, which relied on Clapper to reject data breach claims on standing grounds. (See also Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), affirming dismissal pre-Clapper.) (That’s an oversimplification, but I hope it provides a good birds-eye view of the landscape.) The Supreme Court may chime in with additional guidance soon, in Robins v. Spokeo Inc., 742 F.3d 409 (9th Cir. 2014), cert. granted, 135 S. Ct. 1892 (Apr. 27, 2015) (No. 113-1339), where the Ninth Circuit held that violation of a statute (the Fair Credit Reporting Act) alone constitutes sufficient injury to confer standing. So stay tuned…