Anthem GC: ‘You Need to Have a Really Large Law Firm’

In the 21st century, cybersecurity breaches make headlines with such regularity it can be hard to keep track of them all. In 2014 alone, for example, JPMorgan suffered one of the biggest breaches in history, private photos of multiple celebrities were posted online, and an attack on Sony sparked a diplomatic dispute .

But for the executives at a targeted company, there’s no forgetting the day your company was hacked — or the months, even years, of clean-up work.

When Anthem became the latest high profile victim of hackers in February, the fallout from which has predictably included litigation , Thomas Zielinski, the company’s executive vice president and general counsel , had to take on responsibilities he wasn’t accustomed to. In addition to his regular duties, Zielinski chairs the firm’s crisis committee, and after the breach he found himself staffing call centers, cooperating with an FBI investigation, and running interference against the 50 state attorneys general and 50 state insurance commissioners who all wanted an audience with Anthem.

“It was a 60 hour a week thing to be honest with you,” he said.

During a recent phone call with Big Law Business, Zielinski sounded off on the recent breach, the need for stronger data security regulations, better ways for firms to market their services, and finding work-life balance. To read part one of the interview, clickhere .

Part II Excerpts:

You know you need to have a really large law firm on your panel counsel that has all areas of expertise. Once the breach is discovered, you can’t go out and start looking for somebody who has an expertise in that area.

I will tell you, I must have gotten 100 emails from various law firms telling me they were experts in the area. You don’t have time to vet it, you know, so we were fortunate we had a big firm, Hogan Lovells.

I expect, as a result of this [breach], as an insurance industry, we’ll have more robust regulations coming out of each state’s insurance department which will impact, not just health, but the entire insurance industry in terms of cyber requirements.

It means nothing to me if you take me to lunch or sporting events. It really doesn’t. It doesn’t impact on my ability to hire you. I would prefer you didn’t do it.

Below is an edited transcript of the final installment of our two-part series with Zielinski.

Big Law Business: Anthem is currently in the news for a data security breach, which occurred back in February. How much time and resources has that been eating up?

Zielinski: In addition to being GC, I chair the company’s crisis committee, so I was the point person for our response, enterprise-wide, in all aspects. It has obviously settled down, but for the first month, six weeks, it was a 60 hour a week thing to be honest with you.

I had to deal with communications, I had to deal with the back office, I had to deal with the call center staffing, I had to do the contracts negotiated with the print company to do all the mailings.

We had a great team, but it took a lot of time. You had 50 attorneys general that were talking to you. You had 50 insurance commissioners who wanted to have an audience. And then there was a lot of outreach to our customers and large employer groups who obviously wanted to have some information. And then we interacted with the FBI during their ongoing investigation.

So it was very demanding. But I’ll tell you what I think is important. You know you need to have a really large law firm on your panel counsel that has all areas of expertise. Once the breach is discovered, you can’t go out and start looking for somebody who has an expertise in that area.

Although I will tell you, I must have gotten 100 emails from various law firms telling me they were experts in the area. You don’t have time to vet it, you know, so we were fortunate we had a big firm, Hogan Lovells .

They have expertise in a lot of these areas. They jumped right in and were a big asset for us. I’m not saying there aren’t other firms who could do it. I’m sure there are. It’s just that I had an existing relationship with a firm with that expertise. That was a real leg up for us.

Big Law Business: Some of the negative coverage of the breach focused on the fact that Anthem had the data of people who would’ve never guessed Anthem would have it. What’s your response to that?

Zielinski: I think a lot of people don’t understand the Blue Card. If you’re insured by Horizon Blue Cross Blue Shield in New Jersey, and your member is in Indianapolis and has to go to the hospital under the Blue Card, that member goes to someone in our network in Indianapolis. So the claims for that individual is in our system.

Someone who’s insured by Horizon never really realizes that they’re in a database of Anthem Blue Cross Blue Shield of Indiana. No fault to the members. I don’t expect them to understand all the nuances of the Blue Card. But that was the main reason why a lot of people didn’t understand why their information was in our database.

Also, in some instances, Anthem may receive a non-member’s claims data from a third-party for the purpose of continuity of care as the employer group changes carriers or offers additional coverage options for their employees.

In the event an individual moves from one insurance plan or carrier to another, the individual’s shared data helps to ensure there is no disruption in care. This is particularly helpful to individuals who manage a chronic condition, like diabetes for example. Due to the timing of the data transfer, Anthem may receive data on individuals who may ultimately choose to enroll with another carrier during the open enrollment process.

Big Law Business: Does the U.S. need comprehensive data security legislation?

Zielinski: Well we’re a large company, so we probably can’t afford the cost, but what I would like to see instead is a set of regulations that the business sector has input into. I’d like to see a robust set of criteria that each company or firm or whatever needs to comply with.

Right now you really don’t have a robust set of regulations that you have to be compliant with. We are certified by HITRUST , so that’s one organization out there that does that. But a lot of the companies and firms aren’t a part of that.

I expect, as a result of this, as an insurance industry, we’ll have more robust regulations coming out of each state’s insurance department which will impact, not just health, but the entire insurance industry in terms of cyber requirements. I think that’s a minimum that’s going to happen, and should happen.

Big Law Business: Would you like to see the FTC put out something more robust?

Zielinski: Well it’s much more cost effective and easier to be compliant if I know there’s one standard as opposed to having to comply with 50 different ones, or the more stringent of the 50. Personally, I prefer the federal regulations because there’s one standard that applies to everybody.

Big Law Business: We’ve been asking GC about the personal marketing efforts of firms — taking people to lunch and sporting events, for example. Do you have an opinion on that?

Zielinski: One, I don’t have time, and two, it means nothing to me if you take me to lunch or sporting events. It really doesn’t. It doesn’t impact on my ability to hire you. I would prefer you didn’t do it.

Big Law Business: So firms send you these kinds of invitations on a regular basis?

Zielinski: Constantly. I constantly get emails. I constantly get invitations. Personally, I’m hiring you because you’re a good lawyer, and you get good results. That’s all I want from you, and I will pay you a very fair rate for that.

You don’t need to take me to dinner to continue to get my business. In fact, there are some people I don’t use anymore because it got to be irritating, constantly getting invitations to have dinner.

Big Law Business: Then what works? What’s the best way for firms to reach out to you?

Zielinski: You know what gets my attention? Every law firm does it, but some law firms do it better than others — they send out these emails where they identify a decision that came down, or a new law, and do a write up on it.

If it’s well written it, and it makes sense, I’ll read that, and if we’re not using that firm, I’ll call them, and ask them to come in and make a presentation.

If a firm is proactive and reaches out to me and asks for a meeting, I’ll have somebody look at what they do and try to get a handle on who in the firm has gotten some results. I’ll ask for more information — their bios and stuff.

Of course, in today’s world you just go to the law firm’s website, pick an individual lawyer, and there are 13 pages of everything this guy’s done since he graduated law school. Some of the pages are overkill. I might look at the website and say, “I don’t have time to read 13 pages for 10 people.”

Some firms do it better than others — it’s specific and concrete with some really great examples. That will trigger me to say, “Okay, come in and sit down, and bring the 5 or 6 people you want to bring, and we’ll have a discussion.” If I like what I hear, I give them an opportunity to handle something for us, and see how that turns out.

Big Law Business: What do you do for fun when you’re not working?

Zielinski: I’m the wrong guy to ask that question. I’m a workaholic. I have two boys. My youngest is a senior who’s very active, so I go to his track meets and baseball games. I play tennis and do yoga. Other than that, man, I work a lot.

Big Law Business: What’s the best book you’ve read or movie you’ve seen lately?

Zielinski: I’m a big fan of Atlas Shrugged. I know that’s an old time book, but that’s been a very impactful book for me.

I haven’t really seen a movie in years to be honest with you. I guess I do watch some of these crazy action movies with my kids. What was it called? “Fast and Furious 7,” or something? I did go see that.

(UPDATED: This interview has been updated to correct the name of Zielinski’s favorite book.)