Privacy breach class action lawsuits: A key battleground for cyber insurers

Privacy breach class action lawsuits: A key battleground for cyber insurers | Insurance Business America

Privacy breach class action lawsuits: A key battleground for cyber insurers

Sponsorship note: This article was produced in partnership with Tokio Marine HCC – Cyber & Professional Lines Group (CPLG).

Client expertise blurb: Bethan Moorcraft, of Insurance Business, sat down with Tamara Ashjian, Director of Cyber & Tech Claims, Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), to discuss the rise in third-party privacy breach class action lawsuits. 

Class action litigation related to security breaches has been increasing in number and trending in the United States. Companies and their cyber insurers are starting to feel the heat with a wave of new state-regulated data privacy laws that opened doors for plaintiff attorneys to file class action lawsuits.

“We took note of changes in data privacy legislation right before the height of the COVID-19 pandemic. The courts modified their schedules due to COVID and restricted in-person hearings and settings.  We saw a lull in litigation activity, but we’re now starting to see an influx of class action lawsuits,” said Tamara Ashjian (pictured), Director of Cyber & Tech Claims at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of companies based in Houston, Texas.

Enforced since July 1, 2020, the CCPA grants data breach victims the right to file individual or class action lawsuits against businesses that allow unauthorized access to their private personal information because of a failure to implement appropriate security practices. To date, California is the only state with a private cause of action for breach of its data privacy statute.

Read next: What’s changed in the cyber insurance market?

“CCPA eliminates the requirement for plaintiffs to show evidence of damages. Instead, all they have to do is show evidence that their personally identifiable information (PII) and/or their Protected Health Information (PHI) was compromised (i.e. proof of exfiltration or unauthorized viewing of their private personal information). For this reason and others, California is an attractive forum for plaintiff attorneys,” said Ashjian. “In all states, it’s becoming more common to see class action lawsuits shortly after data breach notifications are issued, especially in California.”

This evolving legal landscape is “unchartered territory” for cyber insurers, according to Ashjian. We haven’t seen a US carrier try a third-party privacy breach class action lawsuit in court. Most of these cases get settled, and typically at large figures, so we’re keeping a close watch,” she said.

Class action lawsuits move very slowly. In the initial phase, the defense can file dispositive motions to try and dispose of all or some of the claims without the need for further trial court proceedings. If the lawsuit is not dismissed, then typically the plaintiff files a motion for a class certification.

“The goal is to cap exposure and minimize expenses,” Ashjian told Insurance Business. “It’s not a perfect science, so insurers are still trying to figure out how to best handle these cases. Facts and circumstances that give rise to security breach cases brought by consumers may be unique. The issue is that no-one wants to be the first to go through trial and test the defense case. No-one has yet rolled the dice. This is still very new.”

Read more: How underwriters prepare for the cybercrime battle

The exfiltration, or unauthorized viewing, of private personal information constitutes a cybersecurity breach, but Ashjian said there are proactive measures businesses can take with the help of their brokers, carriers, and IT forensic vendors/service providers, to mitigate their exposure to lawsuits.

“Brokers should encourage insureds to review their systems and ensure they have all of the recommended cybersecurity controls in place,” she said. “With the right protection against cyberattacks, you are less likely to suffer a breach and hopefully won’t have to deal with the class action lawsuits that are increasing following data breach notifications.

“Employee education and training are equally important. Phishing emails and employee negligence are still the primary [vectors] for network intrusions, and once the [bad actors] are in the system, there are so many ways that businesses are being affected, which can lead to class action lawsuits.”

CPLG is actively monitoring live class action litigation to determine whether its underwriters need to change their strategy around data privacy exposures. Ashjian commented: “We haven’t seen any big [underwriting appetite] changes from the market yet because this is still a new trend, but it’s one that we are watching very closely.”