Privacy and cybersecurity litigation is increasing and is likely to escalate. A recent study by the Locke Lord law firm identified seven key issues to consider in a lawsuit.
- Standing to sue: plaintiffs need to show actual damages or harm, reasonable fear of future damages and/or statutory damages.
- Type of claim: tort, contract or statutory.
- Possible damages: compensatory, contractual or liquidated, statutory and/or punitive or exemplary damages (the latter may not be insurable depending on jurisdiction). Suits may request injunctive relief. Additional costs are pre- and/or post-judgment interest and attorney fees.
- Class action: certification of a class can be damaging to public relations and increase the complexity of a settlement. Even though most class actions settle out of court, the process can be costly and complicated.
- Who is responsible: the party being sued may not be responsible, or others can be brought in. A company can be responsible for its employees or vendors acts or omissions (read your indemnification agreements!). Companies can also be responsible for failure to comply with statutes or regulations, or with their own privacy policies. Companies may want to file third party complaints
- Challenges during litigation: proving/disproving harm; explaining technology; establishing if security met current standards; managing multiple parties and/or cases.
- Response to a cyber incident: since lawsuits are usually filed quickly your company needs a response plan, including
- Notify your insurer (check policy requirements - some insurers require immediate written notification).
- Engage experienced counsel, with insurer's consent if needed.
- Protect work product.
- Keep a record of all actions.
- Comply with all notification requirements.
- Be prepared to deal with public relations, preferably through a crisis management firm.
Whether your firm is a plaintiff or defendant, prepare to address these issues.