The Federal Rules of Civil Procedure allow a defendant to remove an action from state court to federal court as long as the federal court would have subject matter jurisdiction over the litigation in the first place. A federal court will have subject matter jurisdiction over any case where it has diversity jurisdiction or any case presenting a federal question. The analysis of federal procedural questions in the context of data breach cases may involve everything from complex corporate structures (such as Anthem Blue Cross), complex facts (a cyberattack by a foreign government), as well as complex causes of action and, therefore, may present a number of unique issues for courts.

One recent example is seen in Gallo v. Unknown Number of Identity Thieves, 17-cv-01465 (May 31, 2017), where the plaintiff David Gallo (“Gallo”), began receiving calls from strangers claiming they found Gallo’s law firm charged their credit cards for legal work that was never completed. After conducting his own investigation, Gallo found the fraudulent charges were being run through a company called “LawPay” by thieves using a merchant account opened using Gallo’s personal information. Last January, Gallo spoke with another attorney that also had a fraudulent LawPay account set up in her name using her personal information obtained through the large hack at Anthem and its affiliates.

Based on his investigation, Gallo filed a complaint in the San Diego County Superior Court alleging that his personal information divulged in the Anthem hack was used by thieves to set up the accounts that would fraudulently charge for legal services.  Gallo’s complaint contained a request for an injunction against the identity thieves and a negligence claim against Anthem. In February, Anthem filed a notice of removal of the action to the United States District Court for the Southern District of California asserting the federal court had jurisdiction because the case presented questions related to “national security interests and the Health Insurance Portability and Accountability Act 1996” (“HIPAA”).  Anthem also claimed removal was necessary due to the federal questions under the Employee Retirement Security Act (“ERISA”). On March 21, 2017, Gallo filed a motion to remand which gave rise to this decision.

  • The District Court found it did not have diversity jurisdiction

First, as with any case where removal is a question, the court examined whether there was a diversity of citizenship between the parties. Here, the Court found it did not have diversity jurisdiction and removal was not justified when Gallo was a citizen of California and Anthem was a California corporation. Anthem claimed that Gallo named the wrong entity when he named Anthem Blue Cross rather than Anthem Inc. That is, Anthem asserted there would be a diversity of citizenship if Gallo had properly named Anthem, an Indiana corporation, as a defendant for the unauthorized disclosure of Gallo’s private information. The Court found it did not have jurisdiction and found all references to “Anthem” in the complaint referred to Anthem Blue Cross, a California corporation.

  • The breach does not constitute a “national emergency” requiring federal court jurisdiction

In an effort to support its request for removal, Anthem also argued “[t]he cyberattack that forms the basis of Plaintiff’s Complaint carries extraordinary national significance.” In particular, Anthem claimed “[t]he cyberattack on Anthem was perpetrated by a highly sophisticated Advance Persistent Threat (“APT”) affiliated with the Chinese government’s intelligence ministry.” Therefore, Anthem claims, it follows the cyberattacks by foreign state actors constitute a “national emergency” which require the “federal courts to have jurisdiction over state law claims related to data breaches by foreign state actors.”

In rejecting Anthem’s argument, the Court found “[a]lthough Anthem Blue Cross argues extensively that cybersecurity is an issue of national scope and importance, Anthem Blue Cross does not identify any federal law that would be implicated by the instant case. Instead, Anthem Blue Cross concedes that state common law and statutory law governs each of Gallo’s claims.” The Court further held that “although the breach at issue had nationwide consequences,” in the end this is merely a case between a California resident and a California corporation.  Therefore, the Court did not have jurisdiction of this case under this argument either.

  • Anthem’s beliefs that Gallo’s allegations are “implicitly based on HIPAA” do not require the case be removed to federal court.

Anthem also argued that removal was appropriate because Gallo’s “state law and statutory causes of action are predicated on alleged violations of HIPAA.” Gallo’s complaint, however, contained no reference to HIPAA and did allege that any health information had been taken or misused. Instead, Anthem claimed Gallo’s complaint was “implicitly based on HIPAA.” Consequently, the Court found that it has not been shown how HIPAA was sufficiently relevant to this case to establish federal jurisdiction.

Even after finding no HIPAA-related violations, the court further noted that a number of courts have already found that “HIPAA does not provide for a private right of action.” That is, the Court had concern that if it found it had jurisdiction based on Anthem’s argument that the Complaint’s allegations are “implicitly based on HIPAA,” there was a chance that Anthem could make an “end-run around clear precedent precluding a private right of action under HIPAA.”  Therefore, the Court found these allegations did not give the Court jurisdiction over this case.

The thorough analysis by the Court on the simple question of whether Anthem was able to remove this action demonstrates the complex procedural questions potentially arising from data breach cases.  That is, there were questions concerning whether Gallo named the proper Anthem Entity (Anthem Blue Cross of California or Anthem, Inc. of Indiana), which Anthem entity held Gallo’s personal information and which Anthem was the victim of a cyberattack.   Further, Gallo and Anthem have not even reached the complexities seen during the discovery phases and motion practice.  While the Court does not address the issue, the question of whether Gallo has the correct Anthem entity may come back to haunt him if it is shown that Anthem, Inc. of Indiana actually stored Gallo’s information and was the target of the Chinese cyberattack.