Skip to main content

Articles

Why Policies and Best Practices Matter: Current Data Security and Data Privacy Litigation Trends

Author

Kathryn C. Nadro

Date

April 17, 2024

Read Time

7 minutes

Share

person working on a computer with floating images indicating litigation, law, data security

The landscape of cybersecurity, data security, and data privacy continues to evolve rapidly. By staying abreast of the latest litigation trends, savvy business owners can take appropriate measures to prevent litigation in the first place and respond quickly and appropriately if claims do arise.

Common Data Security Claims

Data security claims typically arise from the unauthorized access or disclosure of personal data belonging to consumers, which can occur in several situations, such as:

  • Lost/stolen devices containing unencrypted personal data
    • Cybersecurity incidents involving unauthorized access/use of personal data
    • Ransomware attacks
    • Insider threats, such as rogue employees accessing data in an unauthorized manner

Taking steps to prevent these situations can reduce the risk of litigation. When events happen, data security litigants often bring claims with the following causes of action: Data Breach Notification Laws: There are currently 54 different data breach notification laws for states, territories, and tribal jurisdictions in the United States – plus other laws in countries outside the United States. Data breach statutes typically require that the organization notify consumers whose information was accessed or exfiltrated, depending on the state where the consumer resides.[1] Additionally, in certain states, the organization must notify state regulators or attorneys general for breaches over a certain threshold.[2]

  • Consumer Fraud or Consumer Protection Claims: Claims may be brought under consumer fraud or unfair or deceptive trade practice statutes under the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”[3] Claims arising under these laws generally include allegations that there was a false or misleading statement related to either a business’s cybersecurity controls or its ability to protect consumer data. For instance, in 2022, Zoom settled litigation in which plaintiffs asserted that Zoom made misleading claims about the security of its communications (namely, that Zoom had end-to-end encryption) and failed to prevent unauthorized meeting disruptions.[4]
  • Negligence Claims: Plaintiffs may claim that the business had a duty to protect the security of personal data, whether that data belongs to customers, investors, or employees. A recent Pennsylvania Supreme Court case held that an employer has “a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer.”[5] The court focused on an employee’s lack of choice in providing personal information to the employer. Accordingly, the power imbalance in the employee-employer relationship imposes an enhanced duty on the employer to safeguard employees’ data.
  • Breach of Fiduciary Duty Claims. For professional service firms, a failure to protect personal data is often characterized as a breach of fiduciary duty. For instance, the law firm Orrick, Herrington & Sutcliffe, International, LLP recently settled a consumer class action lawsuit against it following a data breach that resulted in the theft of personal information of over 460,000 individuals. [6] The class brought claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy.
  • Other common law claims: These can include implied contractual theories, such as when an employer’s policies and employee handbooks include representations that the employer and any third-party vendors will protect employee personal data[7].

Common Data Privacy Litigation Claims

In addition to data security claims, businesses should be aware of potential data privacy claims. Specifically, the failure to comply with the following data privacy laws can subject a business to potential litigation:

  • Consumer Fraud Statutes. These claims are also brought under state consumer fraud or consumer protection statutes, and the litigation generally involves claims that a business had made a false or misleading statement about a business’s commitment to maintaining privacy of personal data, such as misleading statements about a business’s privacy policies on its website. Recently, the Federal Trade Commission (FTC) has also brought several claims alleging that a lack of “reasonable” data security measures constitutes an “unfair business practice.” This trend may influence state consumer fraud and unfair business practices statutes, with legislatures considering whether inadequate data security should be deemed an “unfair business practice” under state law.
  • Invasion of Privacy Claims: In these cases, plaintiffs assert statutory claims under laws prohibiting invasion of privacy, eavesdropping, or wiretapping. For instance, California’s Invasion of Privacy Act prohibits recording or listening to private electronic communications without the consent of one of the parties to the communication. Many other states, such as Michigan and Pennsylvania, have similar laws prohibiting recording or eavesdropping activity without the consent of all parties.

Plaintiffs have filed litigation against Apple, Amazon, and Google for alleged unauthorized listening by their personal assistant products Siri, Alexa, and Google Assistant.[8] In the case of Google, the court held that it could not be sued as it was a party to the communication it allegedly listened in on.[9]  

  • Breach of Contract Claims: Claims frequently arise under inadequate privacy policies and the subsequent unauthorized disclosure of personal data. For instance, in Calhoun v. Google[10], which involved third-party data sharing, the court determined Google’s many different privacy policies had offered adequate notice of Google’s data collection practices and users had properly consented. Facebook, another frequent defendant, has been sued several times for allegedly disclosing consumer data in violation of its posted privacy policies and without adequate consent.[11]
  • Biometric Information Privacy Laws: Several states, notably including Illinois, have strict laws protecting the privacy of biometric information, such as retina or iris scans, fingerprints, voiceprints, or other biometric identifiers.[12] Claims arising under the Illinois Biometric Information Privacy Act (“BIPA”) generally assert a failure to disclose or an improper collection claim, not a data security claim. BIPA also affords plaintiffs the opportunity to win stinging damages claims for violations, with $1,000 to $5,000 in statutory damages available for each improper collection of biometric information. In light of such potentially ruinous damages awarded for a violation of BIPA, all businesses collecting biometric information in Illinois should make sure they have proper notice and consent procedures in place.
  • State Data Privacy Laws: Laws in this space are frequently changing. There are currently 16 states with a comprehensive data privacy statute:
    • California (Cal. Civ. Code §§ 1798.100 to 1798.199.95)
    • Colorado (SB21-190)
    • Connecticut (Substitute for S.B. No. 6 Session Year 2022)
    • Delaware (Delaware House Bill 154)
    • Indiana (Senate Bill 5)
    • Iowa (Senate File 262)
    • Montana (SB 384)
    • New Jersey (SB 332)
    • Oregon (Senate Bill 619)
    • Tennessee (HB 1181)
    • Texas (HB 4)
    • Utah (S.B. 227)
    • Virginia (Va. Code § 59.1-575)
    • New Hampshire’s privacy law has been passed (S.B. 255)
    • Maryland (SB 541)
    • Kentucky (SB 15)

Currently, only the California Consumer Privacy Act (“CCPA”) offers a private right of action, but other states may offer a private right of action in the future.

How to Mitigate Risks of Data Security and Data Privacy Litigation

As states continue to enact cybersecurity and data privacy laws, and plaintiffs become more litigious, businesses need to stay up to date on the latest data privacy and security laws and best practices – and how those laws and best practices impact their business and industry. If you have questions about data privacy and security litigation trends, policies, and best practices, please don’t hesitate to reach out.

[1] See, e.g., Cal. Civ. Code §§ 1798.29, 1798.82, 1798.150, 1798.84.

[2] Cal. Civ. Code § 1798.29.

[3] 15 U.S.C. 45 et seq.

[4] See In re Zoom Video Commc’ns, Inc. Privacy Litig., 2022 WL 1593389 (N.D. Cal. Apr. 21, 2022).

[5] Dittman v. UPMC, 649 Pa. 496, 499–500, 196 A.3d 1036, 1038 (2018).

[6] See In re Orrick, Herrington & Sutcliffe LLP Data Breach Litig., No. 3:23-cv-04089-SI (N.D. Cal. Dec. 21, 2023)).

[7] In re GE/CBPS Data Breach Litig., No. 20 CIV. 2903 (KPF), 2021 WL 3406374, at *1 (S.D.N.Y. Aug. 4, 2021).

[8] See, e.g., Garner v. Amazon.com, Inc., 603 F.Supp. 3d 985, 996 (W.D. Wash. 2022) (unregistered individuals in the room with an Alexa device had not received proper notice and given consent to the recording).

[9] (In re Google Inc. Cookie Placement Consumer Privacy Litig.), 806 F.3d 125, 152 (3d Cir. 2015).

[10] Calhoun v. Google, LLC, 645 F.Supp.3d 916, 920 (N.D. Cal. 2022)

[11] In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 801 (N.D. Cal. 2019)

[12] Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Comm. Code Ann. § 503.001; Washington Biometric Law, RCW §§ 19.375.010 to 19.375.040; Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq.

Filed under: Corporate

Related insights

April 24, 2024

A Master Class in Leadership: A Conversation with Allan Koltin

Read More

April 17, 2024

Why ESOPs Work for Professional Services Firms

Read More