In a decision that may spawn lawsuits like salmon in the spring, U.S. District Court Judge Lucy Koh (Northern District of California) rules that claims of New York and California plaintiffs in the Anthem, Inc. health data breach may proceed under consumer protection laws of those states.
The statutes, New York’s General Business§ 349, and California’s Unfair Competition Law, comprise similar standards for a cognizable claim: A consumer-oriented contract that is materially misleading, and “that plaintiffs suffered injury as a result of the allegedly deceptive act or practice.” Judge Koh found that the plaintiffs’ claim that they signed contracts with the Anthem entities’ representations concerning security, which allegedly were proven false by virtue of the attack on Anthem that lead to the massive breach (alleged to have affected up to 80- million individuals), met the first two requirements.
Perhaps the more ground-breaking aspect of the decision, though, is the court’s finding that loss of Personally Identifiable Information (“PII”) was a harm that could be compensated. “No New York courts have yet ruled on this question,” Judge Koh noted.” PII has a value, Judge Koh wrote, and the loss of that value was sufficiently alleged when plaintiffs claimed that hackers had used information stolen from the Anthem database to file a false tax return. Therefore, the court wrote, loss of the value of PII is a concrete injury, and “cognizable for of economic injury.”
Many past class actions stemming from cyber attacks had foundered on this very issue, and Judge Koh’s opinion, finding loss of personally identifiable information, is itself an economic loss and may breathe new life into cyber attack class action claims.
The court also gutted a defense increasingly utilized in these cases that the plethora of cyber attacks indicates that an attack could not have been caused by failure to exercise due care over subscribers’ information. Authority for that point, Judge Koh noted drily, was taken from a Forbes magazine article, but notwithstanding reliance on such authority the court dispensed with the argument by noting that to permit such a defense would “create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable.” The days of this defense may be numbered.
If you have questions regarding cyber attack litigation, please contact Kenneth N. Rashbaum.