You’ve got to give the trial bar credit for being innovative. It has opened up a new frontier in the litigation sweepstakes—data privacy. Cyberattacks are growing in size and frequency, more and more consumers are exposed to them, and state and federal data privacy laws are complex and increasingly antiquated. That means the risk and potential liabilities are staggering.
These breaches impact businesses of all sizes and in every sector—from the corner hardware store running credit card transactions on Main Street to the largest Fortune 500 companies operating worldwide. Attacks against U.S. companies can come from anywhere in the world and hit customers everywhere. So the liability playing field is global. And thanks to mass hacks—compromising millions of customers’ data—there is no shortage of victims.
Plaintiffs’ lawyers can stay up to speed on the latest cyberattacks thanks to laws in almost every state requiring companies to report breaches to customers, government authorities, or both. They frequently troll news reports and public records, sometimes filing class actions within 24 hours of a data breach.
The U.S. Chamber and its Institute for Legal Reform are working to prevent data privacy from becoming a lawsuit bonanza for the trial bar.
We’re calling for uniformity in data breach liability laws—at home and abroad. Forty-seven states have different and conflicting laws on this topic. This chaos presents all kinds of opportunities for abuse. Congress is belatedly considering legislation to create a federal standard. Its goal should be to achieve real data security with legal clarity, rather than another big payday for the plaintiffs’ lawyers.
We’re using our resources to call out legal abuses of existing and prospective laws, both by regulators and the trial bar. Many states have passed or are contemplating amendments to privacy laws that allow for private rights of action, attorneys’ fees, and statutory penalties without proof of harm or damage caps.
We’re also strongly supporting the Cybersecurity Information Sharing Act, which recently passed the Senate. This bill would enable companies to share specific information about cyber incidents and threats with each other and the government—without the threat of lawsuits. With an updated cybersecurity law, we can help prevent more data breaches from happening in the first place.
In the meantime, the trial bar is using its old tricks of creating lawsuits and fishing for clients in the rapidly evolving area of data privacy, seeking to expand liability and damages. We’re watching all of this very closely, and we’re ready to blow the whistle as soon as the plaintiffs’ lawyers step out of bounds.