Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Analysis: Anthem Data Breach SettlementAttorney James DeGraw Discusses the Settlement, Other Breach Trends
Although the recent $115 million settlement in the consolidated class action lawsuit against health insurer Anthem Inc. tied to a 2015 cyberattack is considered record-setting for data breach litigation, some terms of the settlement appear underwhelming for victims, says attorney James DeGraw.
Under the settlement approved by a California federal court on Aug. 16, most of the nearly 79 million affected individuals will receive no cash. Instead, most of the settlement fund will be used to fund two more years of credit monitoring and fraud resolution services for victims.
Also, under the settlement, about 13 percent of the fund has been reserved for cash reimbursements for any victims who paid out of pocket for security monitoring services. Plus, Anthem has agreed to nearly triple its cybersecurity budget.
"Credit monitoring itself as an award is frankly not that effective, at least in my personal view," DeGraw, who was not involved in the Anthem case, says in an interview with Information Security Media Group. "A persisting problem is that post-breach, [bad actors] can still potentially use the stolen records, including medical information, to cause harm."
A more affective approach for most consumers, DeGraw says, is to put a credit freeze on their accounts "which is a bit more cumbersome at times ... but that's a more effective remedy."
For breach victims, "there is no easy way to clean up your life," the attorney says. "You have a fair number of out-of-pocket costs, including taking a day off [from work] to file a report ... and maybe hire people to clean up your accounts and other things that have been opened in your name. It can be a hassle and it's time-consuming and it doesn't go away soon because we can't change our Social Security numbers or healthcare numbers relatively easily."
Is Budget Big Enough?
As for Anthem agreeing to triple its cybersecurity budget, "being a lawyer I'm naturally skeptical. Tripling off what?" he asks.
"That's an issue we see with many organizations the size of Anthem, and companies much smaller than Anthem: What is the security budget of the company? What does it include? Where is it flowing through? Is it part of an IT budget or a risk budget?
In the interview (see audio link below photo), DeGraw also discusses:
- Recent health data breach trends;
- Emerging insider threats;
- Mistakes healthcare entities commonly make in their approaches to breach prevention and response.
DeGraw is a technology partner in the San Francisco office of the law firm Ropes & Gray. As co-leader of the firm's digital health initiative, he provides data incident crisis management counseling, leads investigations into potential data breach events, advises clients on establishing and conducting assessments of information security and data handling governance programs, and helps clients structure data licensing businesses. DeGraw advised retailer Target on data compliance and handling issues stemming from its 2013 data breach.