The Class Action Weekly Wire – Episode 60: Digital Frontier Survival Guide For Corporate Counsel: Cybersecurity And Data Privacy Best Practices


Duane Morris Takeaway:
This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and special counsel Justin Donoho with their discussion of best practices for corporate counsel to address liabilities and lawsuits emerging from the cybersecurity and data privacy landscape. Recent years have seen an exponential rise in class action lawsuits and mass arbitrations as a result of cybersecurity incidents and data privacy allegations, involving a growing list of technologies. In light of these developments, implementation of data privacy and security best practices is a corporate imperative for mitigating risk and deterring litigation.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Google Podcasts, the Samsung Podcasts app, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, YouTube or our RSS feed.

Episode Transcript

Jerry Maatman: Thank you, loyal blog listeners and readers for joining us on this week’s installment of the Class Action Weekly Wire. This is our 60th podcast in our series, and I’m privileged and honored to welcome Justin to be our guest on today’s podcast. Welcome, Justin.

Justin Donoho: Thank you, Jerry. Great to be here.

Jerry: So, today we’re going to be discussing a hot topic: cybersecurity, data breach, and privacy class actions in general, and things that can be done to get ahead of the curve and to mitigate or eliminate these particular risks. And, Justin, I know you’re a thought leader in this space, so we wanted to discuss with you today some of the trends and thoughts you have in this particular space.

Justin: That’s generous, but thank you. And yes, in the past few years we’ve seen an explosion of class action lawsuits alleging cybersecurity incidents where criminals have compromised organizations’ computer networks and stolen their data or held it hostage for ransom payments. Lately, we’ve also seen a spike in data privacy class actions alleging companies’ unauthorized use of advertising technologies on their websites – like the Meta Pixel and Google Analytics, which send users web browsing information to Meta and Google, which are the world’s two largest advertising agencies – and other website advertising technologies, or “adtech.” We are tracking both of these types of cases, cyber security and data privacy, quite extensively, and unfortunately can report that they continue to proliferate in 2024.

Jerry: Thanks, Justin. You did a post on the Duane Morris Class Action Defense Blog this past week that got some of the highest reviews and most clicks among our readership in terms of advice you had for corporations to get ahead of these risks. What are some of the key things that you think companies ought to be thinking about, considering, and implementing to mitigate their risks?

Justin: Yes, thank you. First, let’s talk about the use of arbitration agreements that mitigate the risks of both class actions and mass arbitrations. Our audience is likely familiar with the arbitration agreement defense when it comes to defeating class actions. This defense was largely successful over the last decade in making claims just go away. But times have changed – those arbitration agreements need to be tweaked to mitigate the risks as well as mass arbitrations, which can cost companies millions of dollars to defend. Mass arbitrations are becoming increasingly popular, especially for cybersecurity and data privacy class actions that bring high-dollar novel claims for statutory damages with class sizes often totaling millions of people. Enterprising plaintiffs’ attorneys with big war chests and litigation funders are increasingly using mass arbitrations to pressure organizations into agreeing to multimillion dollar settlements just to avoid the massive arbitration costs. Proactive measures organizations are taking to mitigate this risk include adding mechanisms in their arbitration clauses, such as predispute resolution clauses; mass arbitration waivers; bell weather procedures; arbitration case filing requirements, and more.

This area of the law is developing quickly. One case we are watching will be one of the first appellate cases to address the latest trend of mass arbitrations – it’s Wallrich v. Samsung, in the Seventh Circuit. At issue there is whether the district court erred in ordering the defendant facing data privacy claims to pay over $4 million in mass arbitration fees.

Jerry: Well, I know this is a hot area and an ever evolving area in terms of arbitration issues. But also you touched on another area, and that would be data breach class actions. This, to me, is an area that, just as like the tsunami wave breaking on the beach, that the claims have doubled from 2019 to 2020, then doubled again in 2021 to 2022. Last year there were 1,320 data breach class actions brought countrywide. And this year, so far, we’ve tracked about 600. And so the crest of the wave is anywhere from ending. What do you think in this area of data breach class actions in terms of what companies can do to address this risk?

Justin: Yeah, exactly, Jerry. It’s important that companies keep pace with a tsunami wave of their own in their pursuit of continuously improving their IT practices and cybersecurity measures. There are definitely some cybersecurity best practices that companies can be doing, not only to prevent cyber security incidents from happening in the first place, but also to defend against one of plaintiffs’ main argument in many of these class actions – that organizations failed to use reasonable cybersecurity measures.

Each organization will have its own priorities, to be sure, but here are just a few typical ones:

  • improve IT governance;
  • comply with industry guidelines such as ISO, COBIT, ITIL, NIST, and C2M2;
  • deploy multi-factor authentication, network segmentation, and other multi-layered security controls;
  • stay current with identifying, prioritizing, and patching security holes – as new ones do continuously arise;
  • design and continuously improve a cybersecurity incident response plan;
  • routinely practice handling ransomware incidents with tabletop exercises – tabletop exercises may even be covered by your insurance company; and
  • implement and continuously improve security information and event management systems and processes.

Jerry: There’s another emerging litigation trend with respect to web browsing. And you had mentioned Meta Pixel and Google Analytics – and as someone who has a computer science degree and understands what’s going on, how do you translate that for corporate counsel in terms of the risk posed by the plaintiffs’ bar focusing on those particular activities?

Justin: Well, this is a very popular type of case right now, for sure. One first step that companies can do to is to to mitigate these risks of those types of cases is to find out if, and to what extent, they may be using these website advertising technologies. Millions do. Some companies served with an adtech lawsuit have not even known that any adtech was installed on their websites. It could have been installed by a vendor without the proper authorization of protections. Or even as a default, without any human intent, through the use of some web publishing tools.

Organizations should consider whether to have an audit performed before any litigation arises as to which adtech is, or has been installed, on which web pages, when and which data types were transmitted as a result. Multiple experts specialize in adtech audits just like this and also serve as expert witnesses, should any litigation arise. An adtech audit is relatively quick and inexpensive, and it might be cost beneficial for an organization to perform an adtech audit before litigation arises. It might convince an organization to turn off some of its unneeded adtech now, thereby cutting off any potential damages relating to that adtech in a future lawsuit. It could also assist in presently updating and modernizing website terms of use and data privacy policies to more fully inform users about the company’s use of adtech and vendor agreements to prohibit vendors from incorporating any unwanted adtech into the company’s websites. These updates to company documents could help defeat some of the high-dollar fraud claims and other claims we constantly see in these types of cases.

Jerry: Those are great insights, and I would recommend to all our blog listeners and readers to take a look at Justin’s blog post from this past week – I called it an essential reference or desk guide, or survival packet, to navigate through the thicket of all these particular issues.

Well, thank you, Justin, for joining us for this week’s Class Action Weekly Wire.

Justin: Thanks for having me, Jerry.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress