Cybersecurity and Data Breach Lawsuits on the Rise, Lawyers Say
Class action lawsuits surrounding cybersecurity breaches have risen significantly in recent years and 2024 was no exception, lawyers said during a Practising Law Institute event Thursday. Speakers discussed trends from 2024 concerning litigation about data privacy, cybersecurity breaches and the Telephone Consumer Privacy Act.
Sign up for a free preview to unlock the rest of this article
Leonard Nuara, founding partner at Flatiron Law Group, espoused a holistic view of cybersecurity, saying it encompasses protection, prevention, detection and reaction. It includes making sure unauthorized people cannot access information, determining if someone did and issuing the proper notice and response in the event of a cyberattack, he said. “It's not just about the data all the time,” said Nuara. “It's [also] about ... access to the data or where it resides.”
Concerning confidentiality data breaches, around 60% involve personal information or internal data, he said. But human error is the reason for the failure in 68% of breaches, said Nuara. In contrast, he said, in just 15% of breaches third-party actors are the cause, like those in supply chains or outside vendors.
“2024 saw an explosion of cybersecurity breach class action suits,” said Ian Ballon, a lawyer with Greenberg Traurig. Additionally, privacy, ad technology and cybersecurity class action litigation have continued, he said. Other trends include an increased number of privacy claims and legislative action involving children, and health data litigation.
Despite several states having privacy laws, “most of those laws do not afford a private cause of action” besides California, Ballon said. “But ... all of these state laws impact what is reasonable and ... that's something to keep in mind, because as different states are requiring higher and higher standards of security and privacy, what constitutes reasonable measures, arguably, is changing."
Nuara said ransomware and extortion breaches are also rising. Extortion spiked at the end of 2024, he said. These involve bad actors accessing confidential information and threatening to leak it unless certain demands, usually monetary, are met. As a result, securing infrastructure has become more important, as has training employees and personnel to expect strange queries or requests, and not to answer them.
The rise of AI can enhance extortion when deepfakes are used, Nuara said. Bad actors can get a person's voiceprint by calling and having the person speak, then use it to create a deepfake of that person, he said.
Ballon agreed that AI has had an influence. "Obviously, artificial intelligence helps the bad guys figure out better ways to break into companies, but it also helps companies protect themselves,” he said. “So it's a bit of a two-edged sword in the cybersecurity breach area.”
“We also see increasingly suits by non-[subscribers] of various services,” he said. “A lot of the wiretap claims are brought on behalf of people based on their accessing a site or service or app before any kind of ascent is requested, in instances where ... a pixel fires before ascent is obtained.” There have been a lot of cases about ad technology and pixels, said Ballon, but most don't make it to court, and instead take the form of cease and desist letters. arbitration claims or demand letters for settlement.
Cases involving biometrics are also on the rise, Ballon noted, partially because of the Illinois Biometric Information Privacy Act. “There really is a lot of money at issue when you're dealing with biometric indicators,” he said: "This is only going to increase over time, because of the number of ways every day we are using biometric identifiers to provide security.”