Our last few blogs have focused on litigation under the Video Privacy Protection Act, including the recent ruling from the 10^th Circuit in Yershov v. Gannett Satellite Information Network, Inc., 2016 U.S. App. LEXIS 7791 (1st Cir. Apr. 29, 2016).  Elsewhere, courts have been trying to figure out what to do about consumer lawsuits, including a recent ruling in the multi-district class action litigation world where Judge Lucy Koh of the Northern District of California issued an order denying in part a motion to dismiss that permitted claims relating to the enormous data breach at Anthem Blue Cross to survive.

That lawsuit arose after Anthem Blue Cross suffered a massive data breach in which 80 million of its users had their data hacked and compromised.  Naturally, many lawsuits followed, naming upwards of 40 entities affiliated with Anthem Blue Cross.  The plaintiffs alleged over a dozen state and federal claims, but those myriad causes of action can all be boiled down to a simple premise: the plaintiffs would like to be compensated for costs associated with the data breach.  Blue Cross asserted a number of defenses.  There are two that are of particular interest.

First, on this motion Anthem Blue Cross contended the plaintiffs had no connection with Anthem Blue Cross that would provide standing for a breach of contract action.  Judge Koh rejected this argument.  For plaintiffs under California law, she accepted the argument that individual or group insurance policies sufficed to meet that standard.  More interesting was her ruling on New Jersey breach of contract claims, where she stated that a privacy policy referenced in an informational booklet provided to a consumer was sufficient.  That ruling would seemingly provide consumers quite a bit of latitude to allege a contractual relationship with entities that have suffered a data breach.

Second, Anthem Blue Cross, like all other data breach defendants, have argued that consumers lacked standing because no one has actually been hurt or damaged as a result of the data breach.  This argument has been bolstered because Anthem Blue Cross has been bearing all of the costs and fees to date for credit monitoring and other services.  It is worth referencing because this issue of standing and damages in the data breach context has been a difficult one for courts to solve.  While the claims in the Anthem Blue Cross survived, other courts have weighing this issue have gone the other way.  For example, in a recent Third Circuit decision, Storm, et al. v. Paytime Inc., the Court followed its prior Reilly v. Ceridian decision in affirming a district court ruling that the class plaintiffs did not have standing until stolen data had been used.  The important takeaway on this point is that there really is no single standard.

So what is the right answer?  Should Anthem Blue Cross be forced to pay for damages where they may be hypothetical?  But isn’t it likely that at some point, those consumers will be harmed?  And must those consumers really wait until something bad happens and then file litigation piecemeal?  This dilemma will continue to cause headaches for judges.