The U.S. District Court for the Northern District of California ruled that the Employee Retirement Income Security Act (ERISA) preempts state-law claims arising out of Anthem’s data breach in Smilow, et al. v. Anthem Life & Disability Ins. Co., et al., No. 15-MD-02617-LHK (N.D. Cal. Nov. 24, 2015) (consolidated as In re Anthem, Inc. Data Breach Litigation). In reaching its conclusion, the District Court found that Defendants—Anthem and two ERISA plan administrators—did not have an independent legal duty to protect Plaintiffs’ privacy under state privacy laws.
Anthem is one of the largest health benefits companies in the United States. Based on Anthem’s public announcements, in or around December 2014, cyber-attackers breached Anthem’s data systems. The security of personal health information of Anthem plan participants may have been compromised over the course of several weeks.
The Anthem data breach spawned numerous class actions in state and federal courts across the country. Plaintiffs originally filed the class action for New York citizens with current and former Anthem plans in the Supreme Court of Kings County, New York alleging that the compromise of Plaintiffs’ personal health information violated New York law. Anthem removed the case to the Eastern District of New York and, in June 2015, the Judicial Panel on Multidistrict Litigation consolidated it with others pending before Judge Koh in the U.S. District Court for the Northern District of California. Judge Koh then ordered additional briefing regarding Plaintiffs’ effort to remand the case back to state court.
ERISA Completely Preempts State Law Claims Against Plan Administrators Permitting Removal of Data Breach Claims to Federal Court
Anthem’s original notice of removal argued that Plaintiffs’ class action presented federal questions under ERISA or HIPAA. In seeking to remand, Plaintiffs argued the removal to federal court was improper. In the decision, Judge Koh explained that ERISA preempts any matter where the state law claims “duplicates, supplements, or supplants the ERISA civil enforcement remedy” of Section 502(a), citing and relying on the U.S. Supreme Court’s decision in Aetna Health, Inc. v. Davila, 542 U.S. 200 (2004).
Based on Davila and intervening Ninth Circuit precedent regarding the scope of ERISA preemption of state law claims, Judge Koh applied a two-part test that looks to whether Plaintiffs’ class action was completely preempted by Section 502(a) of ERISA such that removal was proper. Under the Ninth Circuit’s test, ERISA preempts a state law claim if (i) Plaintiffs could have brought the claim under Section 502(a)(civil claims by plan participants and beneficiaries to recover plan benefits, obtain a declaration of rights under the plan, etc.); and (ii) where there is no other “independent legal duty to protect Plaintiffs’ privacy” under state law related to Anthem’s actions.
In determining the first part of the test, Judge Koh reasoned that Plaintiffs could have filed an ERISA claim under Section 502(a) for breach of their insurance contract with Anthem as their employee benefit plan administrator. However, Plaintiffs’ class action only alleged a breach of an implied contract and unjust enrichment claims. Nevertheless, even though Plaintiffs did not include a breach of contract claim in their complaint, Judge Koh concluded that they hypothetically could have, so their claims satisfied the first part of the test.
Turning to whether an “independent legal duty” existed under New York state law to protect Plaintiffs’ privacy, the Court found that no such independent legal duty existed. In reaching this conclusion, Judge Koh explained that Anthem’s materials, including a plan participant handbook with references to state privacy statutes, demonstrated that Anthem had a duty to comply with state privacy laws but that this duty stemmed directly from their obligations under ERISA. So, Judge Koh found that Anthem’s duty to comply with privacy laws arose under the ERISA plan and the second part of the test was satisfied. As a result, Judge Koh found that Plaintiffs’ breach of implied contract and unjust enrichment claims were completely preempted by Section 502(a) of ERISA and that remand was inappropriate.1
A Possible Intra-Circuit Split
Judge Koh’s decision stands in contrast to a recent ERISA preemption ruling out of the U.S. District Court for the Eastern District of California, where a federal court reached the opposite conclusion regarding whether ERISA completely preempted a state law claim that was based on California’s constitutional right to privacy. In Rose v. HealthComp, Inc., No. 1:15-cv-00619-SAB (E.D. Cal. Aug. 10, 2015), the court considered a similar request to remand a state law based privacy claim on ERISA grounds. While Rose was not a data breach case like the Anthem case, the Rose court found that an employee’s claim could have been brought under Section 502(a) of ERISA, thereby satisfying the first part of the Ninth Circuit’s test to evaluate ERISA preemption. But, the Rose court reached a different conclusion on whether an independent legal duty existed to protect privacy under the second prong of this test. The Rose court held that the plan administrator’s duty to safeguard the plaintiff’s privacy under the California Constitution was independent from its obligations under ERISA. In reaching this conclusion, the court noted that California has a self- executing right to privacy under its Constitution that was created specifically to address disclosure of personal information. Thus, the court held that the administrator would have had a duty to safeguard plaintiff’s private medical information even if the plan had not existed.
ERISA preemption for state law data breach and privacy claims is an evolving area of the law, which presents challenges for companies with ERISA plans as they chart their course for navigating these issues. As highlighted by the decisions in the Anthem and Rose cases, ERISA preemption may turn on the details of the laws of the various states in question. Indeed, the form and scope of the state’s privacy laws may have an impact on whether Section 502(a) of ERISA completely preempts a claim premised on the violation of state privacy protections. Thus, companies with ERISA health plans must continue to follow this evolving area with the assistance of outside counsel to ensure that their plan documentation appropriately describes the basis of their duty to protect personal health information.
Furthermore, from a big picture perspective, the Anthem breach is a reminder to companies that third parties present a significant cyber risk. Outside of the ERISA specific context, companies should ensure that they have a comprehensive third-party risk management program in place that addresses cyber threats from third parties.