Stuart M. Gerson, a Member of the Firm in the Litigation and Health Care & Life Sciences practices, in the firm's Washington, DC, and New York offices, was quoted in The AIS Report on Blue Cross and Blue Shield Plans, in “In Recent High-Profile Cybersecurity Cases, Plaintiffs, Defendants Have Much to Prove.”
Following is an excerpt:
Attorneys representing the plaintiffs will need to show that injury occurred on a class-wide basis. And that can be challenging, notes Stuart Gerson, an attorney at the law firm Epstein Becker and Green. Despite widespread publicity and concern about individual identity theft, most data intrusions are not directed at individuals. Instead, they typically are aimed at gaining large blocks of information that can be used in attempting to defraud the government and private payers, he explains. Credit monitoring and other immediate remedial steps do much to deal in advance with potential individual claims and to render them unnecessary. “In terms of class certification — the fundamental goal of plaintiffs’ lawyers in these cases — their difficulty is in showing that their individual clients are typical of a large class of people and, because claims of actual or potential injury are so individualized, in showing that common legal issues predominate over factual matters,” he says. “Courts are generally reluctant to approve claims about alleged future injuries based on conjecture and dubious expert theories.”
Human error and negligence are the causes of most data breaches, says Gerson. To protect themselves, insurance carriers must first ensure they have a rigorous compliance program that, among other things, addresses control and security of portable devices — a major factor in many breaches — including laptops, tablets and thumb drives. On the systemic front, health plans should ensure that all critical data are backed up to secure facilities and that such data are encrypted. Employees also should be instructed on the careful use of social media and email threats such as phishing. They also should be trained to avoid attempts at “social engineering,” which he explains are efforts to con them out of information such as passwords. Passwords used by employees, he adds, should be “strong” and periodically changed.