In an 82-page decision issued on February 14, 2016, Northern District of California Judge Lucy Koh granted-in-part and denied-in-part motions to dismiss filed by Anthem, Inc., and other health insurer defendants in response to a putative class action brought in the wake of Anthem’s announcement that it had been the target of a criminal cyberattack. Plaintiffs asserted a variety of common law and statutory claims against Anthem, including claims under California’s Unfair Competition Law (“UCL”) and New York’s General Business Law (“GBL”). Importantly, Judge Koh held that Plaintiffs have standing to proceed under Article III and California law and had met the requisite showing of “actual harm” under New York state law.
Approximately 80 million individuals were affected by the data breach, according to Anthem’s announcement on February 4, 2015. Anthem is one of the largest health insurers in the United States and the personally identifying information (“PII”) affected by the breach reportedly included individually identifiable health record information, such as medical history, payment and billing records, and test records; and personal information such as names, birth dates, Social Security numbers, healthcare ID numbers, home and email addresses, and employment information, including income.
Judge Koh described the two elements required to establish standing under the UCL as economic injury and causation. On the first element, Plaintiffs argued that they were due “benefit of the bargain” damages based on the contention that they paid premiums for health care services that allegedly should have included stronger data security measures. That form of damages, Judge Koh concluded, “represent[ed] economic injury for purposes of the UCL.” In support, Judge Koh cited her motion to dismiss order in In re Adobe Systems, Inc. Privacy Litigation, 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014), a watershed decision that has largely set the terms for data-breach litigation in the Ninth Circuit.
On the second element—causation—Defendants argued that Plaintiffs had not shown that any of their claimed injuries resulted from the Anthem cyberattack versus other big data thefts in recent years. The court disagreed, finding that the Plaintiffs’ allegations had “plausibly link[ed]” their “purported injuries to the Anthem cyberattack.” Specifically, Judge Koh relied on Plaintiffs’ statements that third parties had illicitly used their PII, along with the fact that Defendants did not contest that they had collected Plaintiffs’ PII and that such information was subsequently stolen. “[I]mportantly,” Judge Koh wrote, “Defendants’ theory [that] a company affected by a data breach could simply contest causation by pointing to the fact that data breaches occur all the time” would “create a perverse incentive for companies.” Defendants in data-breach cases routinely rely on that argument to rebut the inference of causation. It is important to emphasize that Judge Koh’s ruling was made at the pleading stage, concerning a motion to dismiss, and it remains to be seen whether courts will apply similar reasoning at the materially different stages of class certification, summary judgment, or trial.
Injury Under New York Law
Judge Koh also held that Plaintiffs had sufficiently pleaded injury under New York’s GBL. In addition to Plaintiffs’ claimed benefit of the bargain injuries, Judge Koh found cognizable economic harm in Plaintiffs’ allegation of “Loss of Value of PII” (a form of injury Plaintiffs did not claim under the UCL). Plaintiffs alleged that the data theft had diminished their protected interest in the confidentiality and privacy of their PII. In view of the fact that neither New York state courts nor federal courts in the Second Circuit have yet to rule on this theory of harm, Judge Koh extrapolated from “the reasoning set forth [in the standing context] in In re Adobe,” in which she held that “the risk” that personal data “will be misused by  hackers … is immediate and very real.” 66 F. Supp. 3d at 1211. “Here too,” Judge Koh concluded, Plaintiffs were subjected to an increased risk of harm when their PII was stolen and shared for illicit purposes—all of which represented “cognizable injury” under New York law. Judge Koh recognized that In re Sony Gaming Networks & Consumer Data Security Breach Litigation (“Sony II”), 996 F. Supp. 2d 942 (S.D. Cal. 2014), was contrary authority, but nonetheless found In re Adobe “more persuasive” because “none of the cases cited in Sony II addressed whether ‘Loss of Value of PII’ constitutes a cognizable injury” under New York law. By contrast, according to Judge Koh, “the consistent theme running through [the post-Sony II] decisions … is that ‘Loss of Value of PII’ represents a cognizable form of economic injury.”
Judge Koh’s opinion tracks recent standing cases, including her decision In re Adobe, allowing plaintiffs to proceed with data-breach claims pursuant to California law. Her decision breaks new ground, however, when it comes to what claimed losses represent cognizable injury under New York’s GBL. As with her decision in Adobe, Judge Koh’s decision in Anthem will continue to be scrutinized and invoked by data-breach plaintiffs, perhaps even more so in light of Judge Koh’s nomination to the US Court of Appeals for the Ninth Circuit on February 25.
Organizations and individuals alike are contending with the recognition that breaches are occurring with increasing frequency across all sectors, from social networks to government databases. Numerous state, federal, and foreign laws and regulations impose disclosure obligations for groups that collect PII. California, in particular, has taken the lead on many such state regulatory efforts. Read more about California’s recent efforts.
The case is In re: Anthem, Inc. Data Breach Litigation, 5:15-MD-02617-LHK.