By Alex W. Karasik
Duane Morris Takeaways: Data breach litigation is a billion-dollar industry worldwide. At the ASIAL Security Exhibition + Conference in Sydney, Australia, on August 22, 2024, Partner Alex W. Karasik of the Duane Morris Class Action Defense Group gave a highly anticipated 40-minute address, “A Deep Dive Into Data Breach Class Action Litigation.” The Conference, which had over 10,000 attendees, produced excellent dialogues on cybersecurity threats, mitigation strategies, data breach litigation, and the implications of artificial intelligence on data security.
The Conference’s robust agenda featured over 35 speakers from a wide array of backgrounds, including Australian government officials, data security industry experts, executives from blue-chip companies such as Amazon and Microsoft, and a lawyer from Chicago. In a masterful way, the agenda provided valuable insight for attendees from a broad range of backgrounds, including business owners, c-suite executives, risk officers, privacy professionals, technology start-ups, vendors, attorneys, journalists, and other individuals with interests in the tech, legal, and security industries.
I had the privilege of speaking about global data breach litigation risk, with a focus on the Unites States’ data breach class action landscape. A few of the highlights from my presentation include the following:
-
- Data breach class action lawsuit filings doubled from over 300 in 2021 to over 600 in 2022, and then doubled again to over 1,300 in 2023. I do not expect this trend to slow down any time soon.
- The last two years procured massive settlement totals, with over $515 million in 2023. Google and T-Mobile each settled data breach class actions for $350 million in the last two years. The financial exposure is enormous in data breach class action litigation.
- Major U.S. Supreme Court decisions (TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190 (2021)); pending class action litigation (In Re MOVEit Customer Data Security Breach Litigation, MDL No. 3083 (J.P.M.L. Oct. 4, 2023); and the next wave of data security class action claims (stemming from the recent CrowdStrike outage) will all continue to collectively and profoundly impact the data breach class action landscape.
- Low class certification rates, generally trending below 50%, provide some room for optimism for data breach class action defendants. Plus, with the large number of breaches that have now impacted a plurality of major corporations across all sectors, causation of damages is more difficult to prove than ever.
- Some of the “toolkit takeaways” for businesses include: (i) implement a multi-faceted approach to data security mechanisms; (ii) develop a data security task force within the organization; (iii) provide extensive training to employees, which will need to evolve as the types of threats change; and (iv) utilize arbitration agreements with class action waivers.
Finally, one of the greatest joys of attending an international conference is the opportunity to draw on the wisdom of my fellow presenters from across the globe. Below are a few of the highlights:
-
- “Employers cannot contract out risk.” I loved this quote from Australian government official, Justine Jones. This sentiment echoes many of my conversations with and publications prepared by U.S. EEOC Commissioner, Keith Sonderling, who has consistently noted in the artificial intelligence context that employers cannot simply point their fingers at vendors if hiring or recruiting software procures discriminatory outputs. Jones opined that even if businesses use third-parties for data security purposes, they still remain responsible.
- Brett McGrath, President of the Law Society of New South Wales, provided excellent insight on what I interpreted to be “cautious optimism” from the Australian legal system in terms of embracing artificial intelligence. He discussed the creation of a task force involving judges, lawyers, academics, and technology experts. Jurisdictions in the United States – at the local, state, and federal levels – would be wise to follow suit.
- Amazon’s Lindsay Maloney, Lead of Security & Loss Prevention, Australia & Singapore, highlighted hiring risks associated with different geographical markets. From my perspective, the rapid emergence of artificial intelligence laws involving employment decisions are often similar but not the same. This means American businesses likewise should take heed of where they are hiring and what technology they are using in each locale.
- Philip Meyer, a Technology Strategist at Microsoft, delivered an impactful address that examined the history of ChatGPT and the future of artificial intelligence. Philip’s commentary regarding Microsoft’s commitment to providing training meshed well with my message about how companies must embrace the training process, so that artificial intelligence and data security measures are deployed ethically and in the best interests of the organization.
- Brian de Caires, CEO of the ASIAL, opined on the need for consistent security standards across Australia. For those of you who follow my publications on artificial intelligence, privacy, and data security, a motif of my writings is that there is a patchwork of laws among a myriad of jurisdictions, creating a compliance minefield for employers.
Thank you to ASIAL and its incredible team, my fellow speakers, the engaging attendees, the media personnel, and all others who helped make this week in Sydney, Australia an informative and unforgettable experience “Down Under.”
For more information on the Duane Morris Class Action Group, including its Data Breach Class Action Review e-book, please click the link here.