Upwards of 80 million Americans may be affected by the Anthem data breach. According to Anthem’s press release, the hackers gained access to the names, birthdays, medical IDs/social security numbers, street addresses, email addresses, and employment information of its current and former customers and its own personnel. So far, Anthem has found no evidence that the hackers gained access to credit card numbers or medical information.
Within one day of Anthem’s announcement of the hack, Anthem was subject to several class action lawsuits and government investigations into whether or not Anthem’s security measures were sufficient. This question is not easy to answer given the potpourri of privacy laws in the United States and the rapid changes to rules, laws, and standards in the cybersecurity area. Though federal legislation is being discussed, nothing exists right now that sets a nationwide standard on what is, or isn’t, considered to be a sufficient security standard.
This hack, as well as other high profile hacks that have occurred in the last few months, will likely impact the steps companies are required to take in California to protect private information. California state law currently requires that a “business that owns, licenses, or maintains personal information about a California resident implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Civil Code § 1798.81.5(a)(2). As the statutory language suggests, what is “reasonable” is highly dependent on the nature of a business and the personal information it is guarding. Noticeably absent from the statute are the specific requirements companies must meet to achieve this “reasonableness” standard. While this lack of specificity benefits companies that wish to be creative and innovative, it presents a challenge to those seeking a more definitive standard.
In light of the rapid changes associated with data breach technologies and ever-expanding cybercriminal threats, companies can surely count on the fact that the “reasonable” standard will become more stringent and what has typically been considered “reasonable” may no longer be enough. Stricter requirements may be pushed through the legislature, such as the recent approval of AB 1710 which expanded consumer privacy protections. Courts will undoubtedly be asked to decide whether the status quo is sufficient, and to further define what “reasonable” really means. Companies can stay ahead of the cybercrime tide by hiring professionals to help them implement security policies that comport with the rapid changes in the nature and scope of these attacks.