Indiana law does not grant consumers the right to sue Anthem or any other data base owner for negligence following a data breach, according to the federal judge presiding over the Anthem data breach multi-district litigation.  Order, In re Anthem, Inc. Data Breach Litig., No. 15-MD-2617 (N.D. Cal. Feb. 14, 2016).

Instead, Indiana law grants consumers only the right to be notified of the data breach without unreasonable delay.  Indiana Code § 24-4.9-3-1.  If notice is not properly given, the Indiana Attorney General may then seek penalties against the data base owner for up to $150,000.  Ind. Code § 24-4.9-4-2.  However, neither consumers nor the Attorney General may maintain an action under Indiana law against the data base owner for negligently failing to safeguard the consumers’ personal information from accidental loss or theft.

I. Background Facts

Between December 2014 and January 2015, thieves stole from Anthem the personally identifiable information (“PII”) belonging to 80 million customers, including millions of Indiana residents.  This information included personal information (such as names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data) and individually-identifiable health information (pertaining to the individual claim process, medical history, diagnosis codes, payment and billing records, test records, dates of service, and all other health information that an insurance company has or needs to process claims).

According to the class action plaintiffs, Anthem was on notice of the need to safeguard PII as a result of prior incidents and specific warnings from the federal government.  In 2009, while doing business under the name Wellpoint, approximately 600,000 Anthem customers had their PII compromised due to a data breach.  In 2013, the U.S. Department of Health and Human Services fined Anthem $1.7 million for various HIPPA violations related to data security.  And, in 2014, the federal government informed Anthem and other healthcare companies of the possibility of future cyberattacks and advised companies to take appropriate defensive measures, such as using encryption and enhanced password protection.

Furthermore, plaintiffs alleged that Mandiant, the cybersecurity firm Anthem hired to investigate the breach, determined that Anthem’s negligence led to the most recent data breach.  Mandiant supposedly found that Anthem and its affiliates failed to take reasonable measures, such as encrypting data at rest, to secure the PII in their possession.  Plaintiffs alleged that the defendants did not heed these warnings resulting in the massive data breach in December 2014 through January 2015.

Multiple class action lawsuits were filed against Anthem and affiliated and non-affiliated companies following news of the data breach.  Those cases were consolidated in the multi-district litigation pending in federal court in San Jose, California.

II. The Court’s Ruling

Anthem and the other defendants moved to dismiss several of the claims asserted in the class action complaint.  The court issued an 82-page ruling granting in part and denying in part those motions.  The focus of this blog post is the court’s ruling on the motion to dismiss the Indiana claim for negligence.

The court decided to dismiss the Indiana negligence claim for several reasons.  First, the court did not believe it was appropriate for a federal court to create a new cause of action under Indiana law in the absence of any controlling Indiana authority.  The court noted that there was no controlling decision by the Indiana Supreme Court or Court of Appeals having ever found that a data base owner has a duty to exercise reasonable care to prevent a breach or that any resulting damages, e.g. for credit monitoring, would be recoverable under Indiana law.

Second, the court held that the Indiana legislature’s decision not to create a cause of action for consumers following a data breach weighed strongly against the court unilaterally creating a new cause of action.  In 2007, the United States Court of Appeals for the Seventh Circuit held that Indiana law did not grant a bank’s potential customers the right to sue for damages following a data breach of their personal information.  Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 637 (7th Cir. 2007).  At the time, Indiana’s data breach notification law (adopted in 2006), did not grant Indiana consumers a private cause of action.  The Anthem court held that the Seventh Circuit decision put the Indiana legislature on notice that no private cause of action existed and the legislature purposely chose not to add a private cause of action when it amended the Indiana data breach notification law in 2009.

The Indiana legislature, presumably aware of the Pisciotta decision, declined to provide plaintiffs a private cause of action when given the opportunity to amend the state’s data breach statutes in 2009.”

In addition, the court found that the Pisciotta decision comported with other the laws of other states that did not grant a private cause of action to data breach victims.  Accordingly, the court in the Anthem data breach litigation held that consumers have no legal remedies under Indiana law against a data base owner following a data breach.

In 2015, following news of the Anthem data breach, the Indiana Attorney General and other Attorneys General requested that Anthem provide identity theft protection coverage to consumers at no charge.  Anthem agreed to do so for all 80 million customers, including those in Indiana, even though Indiana law did not require that such coverage be provided.

III.  Takeaways

For Indiana consumers, the takeaway is to heed the Indiana Attorney General’s warnings and sign up for a credit freeze.  Consumers can protect themselves from identity and data theft by signing up for a credit freeze with the three major credit reporting agencies Equifax, Experian, and Transunion, available at this link.

For Indiana businesses, the takeaway is to continue to exercise reasonable diligence to safeguard consumer PII and to purchase cyber insurance.  Many data base owners have personally identifiable information belonging to more than just Indiana residents.  To the extent data base owners have information belonging to residents of other states, the data base owners will have to comply with the laws of those other states when doing business with those states’ residents.  Other states have imposed a duty on data base owners to safeguard PII in their possession and have granted consumers a private cause of action for negligently failing to safeguard PII.  There are also a host of laws that require certain businesses to safeguard PII.  You will want to exercise reasonable diligence to safeguard PII to defend yourself in lawsuits brought by residents of other states.  Also, cyber insurance offers a variety of benefits, including providing notice to consumers whose data has been breached.  Consumers have come to expect this type of coverage to be provided free of charge following a data breach.

Finally, given that class actions may be easily removed to federal court under the Class Action Fairness Act of 2005, it is unlikely that Indiana courts will be presented the opportunity to decide whether state law grants consumers the right to sue data base owners for negligence following a data breach unless a federal court certifies such a question to the Indiana Supreme Court to decide as a matter of first impression.  It is also unlikely that the Indiana legislature will grant consumers a right to sue for damages following a data breach anytime soon.