No breach is too small as post-event litigation accelerates in the US
As global brands, from Mango and Jaguar Land Rover to Gucci and British Airways, confront major cyber disruptions, legal experts say that cyber liability is shifting to a new phase where lawsuits and regulatory probes are reserved for headline-making mega breaches.
Josh Mooney (pictured), US head of cyber and data privacy at international law firm Kennedys, told Insurance Business America that smaller cyber incidents affecting only tens of thousands of individuals are increasingly drawing lawsuits, regulatory investigations, and complex cross-border legal challenges.
“In the US, there is a growing proliferation of data breach litigation,” Mooney said. “What’s particularly noteworthy is that this proliferation is not limited to high-profile attacks. We are seeing more and more cases being filed for smaller breaches involving tens of thousands of individuals, not just millions.”
A few years ago, Mooney explained, a breach affecting under 20,000 individuals might not have triggered a single lawsuit. Today, those same breach events may result in multiple class action filings across various jurisdictions.
“In a breach involving 700,000 people two years ago, you might expect one or two lawsuits,” he said. “Now, you’re seeing six, seven, or eight suits filed nationwide, often consolidated into a single action. And we’re seeing the same pattern for smaller breaches.”
Regulatory notification as a litigation trigger
The moment a breach involves personally identifiable information (PII), organizations face a host of legal obligations, beginning with notification requirements under state laws. Unlike GDPR’s broad definition of “personal data,” US statutes define PII more narrowly, but once triggered, they can set into motion a chain of regulatory and legal consequences.
“What regime is that organization regulated under? What regulators do we have to notify? How aggressive are those regulators?” Mooney said. “In healthcare, for instance, we’re seeing an uptick in investigations by the Office for Civil Rights (OCR). Once the breach is public, lawsuits are often filed almost immediately.”
Many state laws require substitute notice (i.e., posting a public announcement of the incident and issuing a press release) if the affected individuals cannot be reached directly. According to Mooney, this mandatory disclosure is a major catalyst for class action filings.
To date, most of these cyber class actions go to trial. Instead, multiple suits are consolidated, and defense counsel move quickly to dismiss the claims or narrow their scope, Mooney noted. Plaintiffs must show either actual injury caused by the breach or a credible risk of future harm. If alleged damages are deemed speculative, the case may be dismissed early.
“Defense strategy focuses first on standing and pleading deficiencies. If the case survives a motion to dismiss, discovery proceeds, and that’s usually when settlement discussions begin,” Mooney said.
Cross-border breaches increase complexity
Many of today’s cyberattacks have global scope, which also raises complicated jurisdictional questions. An incident may be considered a breach in the EU or UK, triggering a 72-hour notification timeline under GDPR, while the same event may not constitute a breach under US law.
“The timelines, definitions, and applicability vary significantly,” Mooney said. “We have to look at the organization’s operations, where data subjects reside, and whether those laws apply extraterritorially.”
Cyber insurers will be watching these litigation trends closely as frequency rises and regulatory scrutiny intensifies. With more actions being filed against smaller breaches, carriers may face increased defense and settlement costs even on mid-sized risks.
Regulatory enforcement against cyber breaches is maturing
One of Mooney’s key warnings for organizations is that regulators are becoming more assertive. As privacy and breach-reporting regimes mature, agencies such as state attorneys general offices and health regulators are taking more aggressive enforcement actions. He urged organizations to proactively strengthen cyber controls, both to mitigate risk and to demonstrate good faith in the event of an investigation.
“A regulator is not going to come knocking on your door until you’ve had a breach,” Mooney said. “At that point, they will look at your cybersecurity program at the time of the attack. And there’s no changing the past.”
Fetching comments…
