{"id":1480,"date":"2024-06-03T22:22:22","date_gmt":"2024-06-04T02:22:22","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/classactiondefense\/?p=1480"},"modified":"2024-06-03T22:35:26","modified_gmt":"2024-06-04T02:35:26","slug":"four-best-practices-for-deterring-cybersecurity-and-data-privacy-class-actions-and-mass-arbitrations","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/classactiondefense\/2024\/06\/03\/four-best-practices-for-deterring-cybersecurity-and-data-privacy-class-actions-and-mass-arbitrations\/","title":{"rendered":"Four Best Practices For Deterring Cybersecurity And Data Privacy Class Actions And Mass Arbitrations"},"content":{"rendered":"

\"\"<\/a>By Justin Donoho<\/a><\/strong><\/p>\n

Duane Morris Takeaway:<\/em><\/strong> Class action lawsuits and mass arbitrations alleging cybersecurity incidents and data privacy violations are rising exponentially.\u00a0 Corporate counsel seeking to deter such litigation and arbitration demands from being filed against their companies should keep in mind the following four best practices: (1) add or update arbitration clauses to mitigate the risks of mass arbitration; (2) use cybersecurity best practices, including continuously improving and prioritizing compliance activities; (3) audit and adjust uses of website advertising technologies; and (4) update website terms of use, data privacy policies, and vendor agreements.<\/em><\/p>\n

Best Practices<\/strong><\/p>\n

    \n
  1. Add or update arbitration agreements to mitigate the risks of mass arbitration<\/strong><\/li>\n<\/ol>\n

    Many organizations have long been familiar with the strategy of deterring class and collective actions by presenting arbitration clauses containing class and collective action waivers prominently for web users, consumers, and employees to accept via click wrap, browse wrap, login wrap, shrink wrap, and signatures.\u00a0 Such agreements would require all allegedly injured parties to file individual arbitrations in lieu of any class or collective action.\u00a0 Moreover, the strategy goes, filing hundreds, thousands, or more individual arbitrations would be cost-prohibitive for so many putative plaintiffs and thus deter them from taking any action against the organization in most cases.<\/p>\n

    Over the last decade, this strategy of deterrence was effective.[1]<\/sup><\/a>\u00a0 Times have changed.\u00a0 Now enterprising plaintiffs\u2019 attorneys with burgeoning war chests, litigation funders, and high-dollar novel claims for statutory damages are increasingly using mass arbitration to pressure organizations into agreeing to multimillion dollar settlements, just to avoid the arbitration costs.\u00a0 In mass arbitrations filed with the American Arbitration Association (AAA) or Judicial Arbitration and Mediation Services (JAMS), for example, fees can total millions of dollars just to defend only 500 individual arbitrations.[2]<\/sup><\/a>\u00a0 One study found upfront fees ranging into the tens of millions of dollars for some large mass arbitrations.[3]<\/sup><\/a>\u00a0 Companies with old arbitration clauses have been caught off guard with mass arbitrations, have sought relief from courts to avoid having to defend these mass arbitrations, and this relief was rejected in several recent decisions where the court ordered the defendant to arbitrate and pay the required hefty mass arbitration fees.[4]<\/sup><\/a><\/p>\n

    If your organization has an arbitration clause, then one of the first challenges for counsel defending many newly served class action lawsuits these days is determining whether to move to compel arbitration.\u00a0 Although it could defeat the class action, is it worth the risk of mass arbitration and the potential projected costs of mass arbitration involved?\u00a0 Sometimes not.<\/p>\n

    Increasingly organizations are mitigating this risk by including mechanisms in their arbitration clauses such as pre-dispute resolution clauses, mass arbitration waivers, bellwether procedures, arbitration case filing requirements, and more.\u00a0 This area of the law is developing quickly.\u00a0 One case to watch will be one of the first appellate cases to address the latest trend of mass arbitrations — Wallrich v. Samsung Electronics America, Inc.<\/em>, No. 23-2842 (7th Cir.) (argued February 15, 2024, at issue is whether the district court erred in ordering the BIPA defendant to pay over $4 million in mass arbitration fees).<\/p>\n

      \n
    1. Use cybersecurity best practices, including continuously improving and prioritizing<\/strong><\/li>\n<\/ol>\n

      IT organizations have long been familiar with the maxim that they should continuously improve their cybersecurity measures and other IT services.\u00a0 Continuous improvement is part of many IT industry guidelines, such as ISO 27000, COBIT, ITIL, the NIST Cybersecurity Framework (CSF) and Special Publication 800, and the U.S. Department of Energy\u2019s Cybersecurity Capability Maturity Model (C2M2).\u00a0 Continuous improvement is becoming increasingly necessary in cybersecurity, as organizations\u2019 IT systems and cybercriminals\u2019 tools multiply at an increased rate.\u00a0 The volume of data breach class actions doubled three times from 2019-2023:<\/p>\n

      \"\"<\/a><\/p>\n

      Continuous improvement of cybersecurity measures needs to accelerate accordingly.\u00a0 As always, IT organizations need to prioritize.\u00a0 Priorities typically include:<\/p>\n