Computers Off Limits to Anthem in Breach Suit

     SAN FRANCISCO (CN) – A federal judge denied Anthem’s request for access to computers of former customers who accuse the insurance giant of failing to protect their personal information in an enormous data breach last year.
     Anthem filed a motion seeking permission to access plaintiffs’ computers, smartphones and tablets to image and copy them to determine whether the data breach or embedded malware was responsible for the potential harm that could include identity theft and tax problems.
     U.S. District Judge Nathaniel Cousins told Anthem it was “ironic that the defense was seeking discovery of the plaintiff’s personal information when the core allegations of the plaintiffs is the defense failed to protect them from damage to their personal information.”
     Anthem attorney Des Hogan said that Anthem did not seek user-generated content, such as photos, word documents or other personal information, but wanted to inspect the computers to see if they contained malware capable of creating the harm alleged by the plaintiffs.
     “This was a state-sponsored cyber attack,” Hogan said. “The attackers were not selling their information to the deep and dark Web, where people buy Social Security numbers.”
     China is believed to be behind the cyber attack, though it has denied responsibility.
     Hogan said that tax issues claimed by one plaintiff could have been caused by a security failing other than the Anthem data breach, and the company needs the computers of certain individual plaintiffs to determine that.
     “There is a significant industry of criminals fishing and aiming malware at personal computers and tablets,” Hogan said. “Personal information is extracted and sold by criminals in the deep and dark Web. Our belief is that is the cause.”
     Cousins conceded there was probative value to allowing Anthem to ascertain whether malware caused some of the problems, but he ruled for the customers.
     Plaintiffs’ attorney Eve Cervantez told the judge that allowing Anthem access to computers, tablets and phones would place an unfair burden on the plaintiffs by forcing them to hand over personal information to a company they are suing for failing to protect their information.
     “It is exceedingly burdensome, exceedingly invasive,” Cervantez said. “Even if the expert was able to determine the type of malware that can export data, they are not going to be able to tell the kind of information that was exported or know whether it was taken in the Anthem data breach.”
     Cervantez called it “a narrow fishing expedition for such an invasive process.”
     Cousins agreed, saying that a ruling for Anthem could produce a “chilling effect on the plaintiffs, not just these plaintiffs, but if future plaintiffs knew their computer and phone might be taken, it might prevent them from bringing such claims as this.”
     Cousins allowed latitude for the parties to agree upon a less-intrusive manner by which to determine to what extent the data breach caused the alleged harm, or whether other factors may have contributed.
     He encouraged both sides to encourage their cybersecurity experts to collaborate and come up with a targeted and safe way to explore the evidentiary item in question.
     “I think both parties could find some common ground that would allow some discovery, but would not be so burdensome on the privacy interests of the plaintiffs,” Cousins said.
     Cervantez told Courthouse News: “This was an important ruling because Judge Cousins recognized that ordering Anthem’s requested discovery would have a chilling effect on these and future plaintiffs’ willingness to step forward and vindicate their rights.”
     The Anthem Data breach, which the company disclosed in February 2015, involved more than 37 million records from the company’s computer system, affecting an estimated 80 million people.
     The records included information such as credit card numbers, Social Security numbers, income, home and email addresses and employment information.

%d bloggers like this: