LOS ANGELES, April 10, 2017 /PRNewswire/ -- A major data-breach lawsuit highlights an intriguing question for defense teams—whether plaintiffs are attempting to hold companies to unrealistic standards of data-privacy protection, writes LeClairRyan business litigator Chad Mandell in a March 27 column for Corporate Compliance Insights.
In the column ("An Impossible Standard? Data Breach Defense Raises An Important Question"), Mandell cites the high-profile data-breach case of Indianapolis-based healthcare giant Anthem, which in January 2015 learned that hackers had breached its IT system, reportedly making off with the personal data of as many as 80 million Americans.
Two years later, Mandell notes in the piece, several plaintiffs voluntarily asked a judge in the Northern District of California to dismiss the lawsuits they themselves had filed against Anthem.
"The judge had ordered select plaintiffs to comply with a discovery request by Anthem that required them to submit their computers to an independent forensic examiner," writes Mandell, a partner in the national law firm's Los Angeles office. "Anthem wanted to determine whether malware had caused data or credentials to be stolen from the plaintiffs' computers even before the breach of Anthem's systems. If that proved to be true, it would call into question whether the plaintiffs' alleged injuries had truly been caused by the Anthem hack."
It appears that certain plaintiffs dropped out of the suit in order to avoid disclosing this possibly confidential information via discovery, the attorney notes in the column.
Arguably, the process might well have shown that these plaintiffs' data or credentials had been compromised prior to the Anthem breach. After all, Mandell points out, some Internet users are their own worst enemies with respect to data privacy.
"They essentially take zero safety precautions to reduce the risk that their personal information is not needlessly exposed," he writes. "Instead of checking the privacy policies of the websites they visit and 'opting out' of potentially invasive requests, they reflexively give permission to any and all requests. People still use 'password' as their password or fail to take advantage of enhanced measures such as two-factor authentication."
No organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised, Mandell says. "Thus, it is reasonable to ask whether alleged damages in a data-breach case truly can be traced to a given hack of a particular company or whether they stem from a prior breach or multiple prior breaches of the plaintiff's own computer," he notes in the column.
In the Anthem case, the court framed an order that drastically limited the amount of information that could be culled from forensic examination of the plaintiffs' computers. It also put in place multiple and extensive measures that called for tightly controlled access to the plaintiffs' confidential information, Mandell writes.
But even with this heightened protection, certain plaintiffs balked. "As a result, one has to wonder whether they had reasonable expectations regarding their personal privacy to begin with," Mandell concludes. "In suing Anthem, were they seeking to hold the company to an almost impossible standard? It's a question that could prove useful for other firms as they seek to defend themselves in data breach cases."
The full blog post is available at
As a trusted advisor, LeClairRyan provides business counsel and client representation in corporate law and litigation. In this role, the firm applies its knowledge, insight and skill to help clients achieve their business objectives while managing and minimizing their legal risks, difficulties and expenses. With offices in California, Connecticut, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, Michigan, Nevada, New Jersey, New York, Pennsylvania, Rhode Island, Texas, Virginia and Washington, D.C., the firm has approximately 350 attorneys representing a wide variety of clients throughout the nation. For more information about LeClairRyan, visit www.leclairryan.com.
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/questioning-plaintiffs-privacy-expectations-could-be-viable-part-of-defense-strategies-in-data-breach-cases-attorney-writes-300436651.html