Class-action lawsuits related to data privacy have been on the rise for years, but in 2023 they could break records. There were 242 data-breach class actions by the end of June, which is about the total filed in all of 2022, according to a Law.com Radar report. The monthly average of data breach class actions was 44.5 from January through August, nearly double of last year’s 20.6.
There is a corresponding challenge to businesses facing increasing regulatory responsibility for data protection.
Sarah Hutchins, partner at Parker Poe Adams & Bernstein, said several other states are expected to pass legislation around data privacy and security in the new year. Hutchins is based in Charlotte and leads Parker Poe's cybersecurity and data privacy team. She said the surge in litigation around data privacy is directly related to the rise in state and federal regulations surrounding data privacy and security.
The N.C. General Assembly considered a bill titled the Consumer Privacy Act in the last session. The bill, SB 525, never made it out of committee. It called for prohibition of businesses processing sensitive data without giving clear notice to consumers and an opportunity for them to opt out.
What's causing the surge in data breach litigation?
There also has been more breaches as the world continues to digitize, and that means more losses for businesses, Hutchins said. There’s also been an increase in the number of people affected by data security incidents in the last decade, but especially following the pandemic. During the peak of Covid-19, many companies were working to adapt to the environment by going virtual, offering more services electronically and being more comfortable with data.
“So, that's just going to increase the chance that it's attractive to a plaintiff's attorney to form a class and bring a lawsuit as a result of a breach,” she said. “And what that does, is, I think, it gives the plaintiff’s bar something to point to in certain instances as to what measures should be employed by businesses to safeguard the data that they collect, retain and use.”
Companies of all sizes and industries are facing these lawsuits. But cybercriminals will always be more attracted to industries that hold more sensitive data such as health care and finance. Hutchins said she especially saw security breaches uptick in the education space this year. Schools entered the data world much more during the height of the pandemic in 2020.
“I think that the education sector, in particular both K-12 and higher education, they're holding a lot of data that is just sensitive to a lot of students and parents,” she said. “And it unfortunately felt a huge brunt this last year.”
How to navigate data breaches and related class actions.
Important to note is many businesses try to avoid a lawsuit in the first place. Because even if they’re not found liable, the cost and disruption of a lawsuit is never good for business, Hutchins said.
But the main focus when working on these cases are on compliance and a thorough assessment of what kind of data the affected business has, how they use it, store it and who they share the information with. She said her team also works to ensure affected companies have outward and inward facing data privacy policies that are accurately reflected.
The next step is practice. Hutchins has her clients participate in tabletop breach exercises, which includes running through how company leaders would react in a breach so their readiness is tested.
It's also important for businesses to test their staff. Many cybercriminals gain access to data through email phishing schemes, so it can be beneficial to teach employees how to recognize an attempted attack to protect the company.
“Because personnel tends to be frankly the weak point, not necessarily the technical infrastructure,” Hutchins said. “And I think educating company leadership about how worthy investment is on the technical infrastructure side and training and legal compliance is really important.”
If a breach does occur, her team ensures clients know the plan and engage legal counsel first. She also suggests businesses maintain attorney client privilege in the event if a lawsuit were to occur in the future. It's also key to make certain all communication during a breach incident is accurate and consistent so there’s no misinformation, because the “immediate aftermath of a breach can be chaotic,” she said.
“And so the question really comes down to: Did the business make it more susceptible than it should have to an incident? Because even the most secure company in the world can experience one,” Hutchins said.
