Data Breach Risks
Regulatory Environment, Claims Trends & Coverage Considerations
Data breaches make businesses vulnerable to regulatory action and class action liability risks.
Companies that collect data—whether from employees or customers—need to be aware of the
claims trends and coverage considerations surrounding unlawful data collection practices and
data breach risks.
Data Privacy Class Action Developments
Businesses regularly collect data on everything from consumer shopping and internet browsing habits to employee identification and financial information. As data sources, collection and uses increase, so do the litigation exposures.
Businesses may face lawsuits when data is collected without consent, used improperly or exposed due to lax security standards.
What Is Unlawful Data Collection?
The term “data” can refer to any type of facts, figures or statistics that a company collects.
When businesses collect or store data in ways that violate state or federal laws, they may face accusations of unlawful data collection practices. Since laws are developing, what constitutes unlawful data collection may change rapidly.
Four Developing Litigation Exposures
High-profile class-action lawsuits include one against Facebook that resulted in a $650 million settlement and one against Google that resulted in a $100 million settlement. In July 2024, the Attorney General of Texas announced that he had secured a $1.4 billion settlement with Meta over the company’s use of biometric data—the largest settlement ever from a class-action lawsuit brought by a single state. However, it’s not just large tech companies that are vulnerable to these claims, any company that uses biometric data is at risk. For example, Kiosk Marketplace says the fast food chain Steak ‘n Shake has been sued over its collection of facial recognition data via its ordering kiosks.
CIPA Wiretapping Claims: Beyond just video viewing behavior, pixel tracking and biometric data, any unauthorized collection of personally identifiable information (PII) or protected health information (PHI) may result in litigation. Such lawsuits are a growing risk as states pass strict data privacy laws. Plus, existing laws, such as the California Invasion of Privacy Act (CIPA), are being used in new ways.
CIPA is a 1994 law that prohibits the recording of confidential conversations without the consent of everyone involved, making California a two-party consent state. Originally, the law was primarily applied to phone calls, but as communications technology evolves, it has found new applications.
According to Nixon Peabody, there has been a flood of CIPA litigation. Even companies that tried to be diligent about creating compliant privacy policies are getting hit with lawsuits accusing them of aiding wiretapping due to the use of third-party technology. For example, The National Law Review reported Domino’s Pizza, Inc. and ConverseNow Technologies, Inc. have been sued over the use of ConverseNow’s Voice AI technology, which records and analyzes customer data to process orders and suggest additional items. Furthermore, the American Bar Association states some new CIPA cases have focused on website tracking technology, alleging that they record interactions and therefore amount to unlawful pen registers.
Final SEC Cybersecurity Disclosure Rule
As cybersecurity threats proliferate, the SEC has sought to protect investors. This approach has led to a final cybersecurity disclosure rule, which was adopted in 2023.
This rule creates two new requirements for public companies:
An incident is material if a reasonable investor might consider it important when making an investment decision. To determine whether an incident is material, companies should apply the same considerations they would use for other types of events.
These disclosure requirements will give investors consistent and comparable disclosures that can be used to evaluate companies. However, the disclosures may also give government agencies and plaintiff lawyers more opportunities to find fault with a company’s cybersecurity practices, leading to increased liability.
How can companies prepare for increased scrutiny?
Embrace transparent, proactive cybersecurity risk management at the upper levels of a company. Management and board members can oversee cyber risks in a real and robust way.
Risk Management Strategies
Businesses in all industries are leveraging innovative technologies to improve customer service, increase sales and optimize operations. However, these technologies tend to necessitate the collection of data. Both consumers and lawmakers are increasingly concerned about what happens to this data. It’s important to be mindful of the risks and implement appropriate risk management strategies.
Data Breach Coverage Considerations
Whether a cyber insurance policy provides coverage in specific instances will depend on its terms.
When comparing data breach coverage options, consider these issues: