An Assessment of the Anthem Data Breach Litigation Rulings (Guest Blog Post)
By guest blogger David Silverman
[Eric’s intro: this blog post helps distill Judge Koh’s two rulings, In re Anthem Inc. Data Breach Litig., No. 15-MD-02617 (N.D. Cal. Feb. 16, 2016) (“Anthem I”) and In re Anthem Inc. Data Breach Litig., No. 15-MD-02617 (N.D. Cal. May 27, 2016) (“Anthem II”). These are complicated opinions, and I hope this post helps you wade through them.]
Following her ruling denying in part the motions to dismiss in the Adobe breach case, Judge Koh has again gone against the tide and filed two more plaintiff-friendly opinions on the viability of class action data breach claims. Defense counsel seeking practice pointers would note the failure effectively to exclude third party beneficiaries as enforcers of a data management agreement, and the use of integration clauses that inadvertently opened the door to making privacy notices enforceable parts of a contract.
The Blue Cross/Blue Shield data breach at issue in this case began in December 2014 and lasted through the end of January 2015; notices were sent out in February 2015. The original consolidated amended complaint had 13 separate counts, each with multiple claims under the laws of various states. The first round of motions to dismiss was limited to ten claims, five selected by plaintiffs and five by defendants. The surviving claims from Anthem I were: California UCL, New York G.B.L. 349, and federal third-party contract beneficiary claims. Dismissed with leave to amend in Anthem I were California breach of contract, New Jersey breach of contract, New York unjust enrichment and Georgia Information and Privacy Protection Act claims. Dismissed with prejudice in Anthem I were the Indiana negligence, Kentucky Consumer Protection Act and Kentucky Data Breach Act claims. Anthem I also dismissed claims as to certain defendants on the grounds that there were no factual allegations going to the involvement of those defendants. That outcome was partially overturned in Anthem II.
Highlights (or Lowlights?) of Anthem II:
- PII has intrinsic monetary value as reflected by prices on the illegal market;
- Insurance premiums could be basis for damages despite no express allocation to data security;
- Annual privacy notices from health insurers were inadvertently incorporated by reference;
- HIPAA business associate agreement conferred third party beneficiary rights on insured persons; and
- Named plaintiffs from State A with claims against provider in State A could also stand for plaintiffs in State A enrolled across state lines by local affiliates in States B, C and D.
Incorporation By Reference
Anthem I dismissed contract claims (with leave) because they failed to plead facts necessary to show that the privacy notices were incorporated into the contracts. The Anthem plaintiffs took the hint. The California breach of contract claim was among the ten selected for treatment on motion to dismiss, and the defense maintained that the annual notices and other privacy policies were not part of the contract of insurance. But the summary of benefits received by the California public employees specifically referred to the annual mailings in terms such as “you have the right to receive a copy of the Notice of Privacy Practices” and such specificity pointed to incorporation. The statement that the insurer itself would handle information “subject to all applicable confidentiality requirements” with a cross-reference to the Notice of Privacy Practices as encompassing its policies with respect to information privacy and security suggested incorporation by reference. Anthem argued that an integration clause in the contract precluded incorporation of the privacy policies and statements, but the clause failed because it incorporated other documents that contained specific references to the Notice and other privacy policies. The defense also argued that the privacy policies, especially the annual notice, were not enforceable because they merely articulated legal obligations imposed on the insurers by applicable law. The court rejected this based on the wording of the policies themselves, as they did not expressly limit the insurer’s obligation to the requirements of applicable law, but included comfort language promising to go further.
Third Party Beneficiaries
In more bad news for the defendants, the court held as a matter of first impression that California public employees, for whom BCBS of California acted as plan administrator, could claim as third party beneficiaries of the HIPAA business associate agreement between BCBS of California and the California Public Employees Retirement System. The defense argued that the business associate agreement, like the annual Notice of Privacy Practices, was no more than a pro forma statement of legal obligations. The court noted that a business associate agreement may cover more than HIPAA requires. Because the business associate agreement was attached to the ASO agreement for California public employees, the ASO agreement could incorporate the various privacy policies and the class could go forward as third-party beneficiaries of the business associate agreement. A third-party beneficiary must “take the contract as he finds it” but the public employees met this requirement, because Anthem admitted that CalPERS itself could recover damages if BCBS had breached the business associate agreement. Some other named plaintiffs, whose ASO agreements expressly disclaimed any third-party beneficiaries, had their California breach claims dismissed.
Although contract damages must be quantifiable, failure to earmark part of an insurance premium for data security did not mean overpayment could not be quantified. The Anthem II court addressed two kinds of arguments that damages based on overpayment of insurance premiums would be barred by preemptive regulatory schemes. Such damages were barred in New Jersey by the filed rate doctrine, which prohibits courts from entertaining challenges to regulated rates. But they were not barred by ERISA, which preempts only state claims involving “benefits” (such as payments to health care providers) as distinct from premiums. Federal employees who purchased health insurance through the Office of Personnel Management (OPM) were among the plaintiffs. Anthem I said they could bring suit as third-party beneficiaries of their insurance contracts, and Anthem II that the kinds of damages they sought could be recovered either as contract damages or in restitution.
Most courts that have considered the claim that personal information has some intrinsic, non-statutory monetary value to the individual have rejected it, unmoved by revelations about high prices on the invisible illegal market, and usually noting that the plaintiffs have not alleged that they ever could have sold, or intended to sell, their personal information into such a market. The Anthem II court broke from this tradition and held that, because such extensive PII as was stolen in the Anthem breach is demonstrably traded for value on the illegal market, exposing the information to that market causes economic injury; it is a jump from there to say that the plaintiff has been deprived of the value — the direct costs fall on the defrauded merchants or banks — but the Anthem II court made the leap. It was sufficient that there was an illegal market for the plaintiff’s information; it was not also required that the plaintiff intended to or could have sold her information into that market.
The Anthem II court gave two reasons for rejecting a challenge to prophylactic and remedial expenditures, which it calls “consequential” damages. First, it strongly condemned the argument that for many plaintiffs, other data breaches might have been the cause or partial cause; allowing such arguments would create a perverse incentive for businesses to relax their data security measures. Second, it noted that the complaint need only plead causation, not prove it, and that if the defendants asserted an alternate cause, the burden of proof would shift to them on that issue.
Disclosure vs. Negligent Retention
Statutes that prohibit intentional disclosure of information (as opposed to negligent retention) do not fit well in data security breach cases. The Anthem II court construed, as a matter of first impression, the Georgia Insurance Information and Privacy Protection Act, Georgia Code Ann. § 33-39-14. Because a statutory prohibition against disclosure is not violated through merely negligent retention, the court dismissed with prejudice.
The claims for unfair and unlawful business practices survived while the claim for fraudulent business practices was dismissed with leave to amend. The UCL has emerged as a preferred vehicle for data breach claims because it creates a private right of action premised on violations of statutes that do not themselves provide such private rights.
The grounds for standing under the UCL are narrower than Article III because a heightened risk of future harm, regardless of how certainly impending, is not an injury in fact for UCL standing. But the UCL does not require a showing of causation for standing. Here the viability of the damages theory conferred UCL standing. And, although a contract claim requires privity or third-party beneficiary status, the UCL presumptively allows claims by third parties who were induced by the defendant to pay money to someone else. For these reasons, the there was no legally significant distinction between the ASO plaintiffs and the direct purchasers of health insurance for purposes of standing on the California UCL claim.
The defense chose not to challenge the FTC Act, Graham-Leach-Bliley or HIPAA as possible statutory bases, so those claims survived; the plaintiffs chose not to argue for the asserted bases in California law, so those claims were dismissed with prejudice.
There are various tests for the UCL’s unfairness prong among California courts, but Anthem I adopted the “balancing test” which requires courts to “weigh the utility of the defendant’s conduct against the gravity of the harm to the alleged victim.” The defense failed to address the balancing test, despite the court’s having signaled that this was the applicable one. The court referred to its own opinion in Adobe for the finding that data protection is embedded in the public policy of California, and said acts that are contrary to established public policy are presumptively unfair.
On the fraud prong of the UCL, the claims based on fraudulent omission survived, but those based on affirmative misrepresentation were dismissed with leave to amend. As to misrepresentation, the plaintiffs failed to plead reliance on the privacy policies except in a single conclusory sentence. Reliance on fraudulent omission is easier to plead because the specificity rule is relaxed in the case of claims of fraudulent omission.
NY GBL 349
The court followed the Second Circuit, holding that claims under this statute are not required to be pleaded with the specificity FRCP 9(B) requires of fraud claims in general. The defense acknowledged that the analysis would be the same as for California UCL claims under the fraud prong, so the GBL 349 omission claims survived (except as to the governmental employees, who paid neither to the insurer nor the administrator) while the misrepresentation claims were dismissed with leave.