The surge in emerging technologies has brought about a significant increase in data-security class-action lawsuits. As individuals generate larger volumes of sensitive data through online banking, shopping, healthcare, and interactions with AI and IoT devices, the risks of data misuse and breaches grow. Companies like Meta and Apple have faced landmark settlements, showcasing the financial and reputational stakes. Organizations now navigate a fragmented regulatory landscape in the U.S., alongside increasing consumer awareness and willingness to litigate. These trends underscore the critical role of data security professionals in mitigating risks through advanced technologies, compliance, and employee education.
Introduction
Data security has become a central concern for organizations across all sectors. As emerging technologies expand the scope of data collection and cyber threats grow more sophisticated, the landscape of litigation surrounding data breaches is intensifying. High-profile settlements in recent years signal a heightened emphasis on accountability, pushing businesses to rethink their strategies for protecting consumer data. This SecurityInfoWatch.com (SIW) Q&A with Darren Craig, partner at Frost Brown Todd, explores the drivers behind the rise in data-security class actions, their implications for businesses, and actionable steps for professionals to reduce exposure to legal risks. With new privacy legislation on the horizon, this conversation provides critical insights for navigating the evolving challenges of data security in 2025 and beyond.
SIW: How is emerging tech fueling data security class action lawsuits? Can you provide background/insight into this current litigation and/or regulatory landscape?
Craig: Emerging technologies and the proliferation of existing technologies have caused substantial growth in data-security class actions. As people increasingly bank, shop, and seek healthcare online, the volume of data each person generates has increased. The ever-increasing data pool gives criminals more opportunities to profit through identity theft. Companies that rely on advertising revenue, including social media platforms and search engines, try to maximize the value of the data they collect, sometimes leading to allegations that the companies are profiting from consumer data without consent.
Many people are increasingly relying on artificial intelligence to help them with business and personal tasks, sometimes without considering the sensitive nature of the information they are providing and whether the artificial intelligence provider has any obligation to keep that information secret. The Internet of Things, including smart speakers and appliances, also gathers vast amounts of data.
This explosion of available data has led to a corresponding explosion of privacy litigation, sometimes resulting in enormous settlements. In the largest settlement of this kind, Meta agreed to a $1.4 billion settlement with the Texas Attorney General for allegedly collecting biometric data violating the Texas Capture or Use of Biometric Identifier Act and the Deceptive Trade Practices Act.
Apple just agreed to pay $95 million to settle a proposed class-action lawsuit alleging that voice-activated assistant Siri violated users’ privacy, listening to them without their consent.
In a recent settlement of a ransomware case, Lehigh Valley Health Network agreed to a $65 million class action settlement after a data breach involving 600 patients and employees. This settlement was the largest on a per-patient basis for a healthcare ransomware breach case.
Companies face a complex patchwork of privacy regulations in the United States. There is no general privacy law in the United States similar to the General Data Protection Regulation in Europe, but various federal laws regulate privacy practices for health-care providers, banks, and other industries. States have likewise enacted privacy laws like the California Consumer Privacy Act.
SIW: What are the key impacts or takeaways of this uptick in litigation across consumers, data security professionals, and companies?
Craig: The rise in data-security class actions affects consumers, data security professionals, and companies. Consumers are becoming more aware of their data privacy rights and show an increasing willingness to participate in litigation, either individually or as part of a class action. The large settlements reached in the last year, which received much media attention, will likely enhance this trend.
Data security professionals are in increasing demand. Their skills help prevent and remediate data breaches and ensure companies meet their obligations in an increasingly regulated environment. Data security professionals must continually learn the latest regulations and best practices to perform their jobs successfully.
Companies face significant financial risks, including fines, litigation expenses, and settlement costs. They also face increased scrutiny from regulators to comply with data protection laws. Companies may suffer serious reputational harm if their customers’ data is exposed. To mitigate the risk of data breaches and lawsuits, companies are investing more in data security measures, such as implementing security protocols, conducting regular security audits, and training employees and contractors on data protection practices.
SIW: Given the growing sophistication of data breaches, what actionable steps can corporate data security professionals take to mitigate class action litigation risks?
Craig: To mitigate the risks of data-breach class actions, corporate data security professionals can take several actionable steps, including:
- Follow industry standards such as the Center for Internet Security (CIS) Controls and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Conduct frequent security audits and vulnerability assessments to identify and address potential weaknesses.
- Use advanced security technologies including encryption, multi-factor authentication, and intrusion detection systems to protect sensitive data.
- Educate employees about data security best practices and the importance of protecting sensitive information.
- Conduct phishing simulation exercises to help employees recognize and avoid phishing attacks.
- Establish comprehensive data protection policies that outline how data should be handled, stored, and transmitted.
- Conduct regular compliance checks to ensure adherence to all applicable data protection regulations.
- Develop a detailed incident response plan to ensure a swift and effective response to data breaches.
- Assess the data security practices of third-party vendors and ensure they comply with your organization's security standards.
- Include data protection standards, breach notification requirements, and insurance requirements in contracts with third-party vendors.
SIW: What is your outlook on data security class actions over the coming year? Are any upcoming regulatory developments, industry trends, etc. slated to shake up this litigation landscape further?
Craig: The costs associated with data-breach class actions are expected to increase and exceed regulatory fines. Because companies will face significant financial risks from class actions, it is essential to implement robust data security measures now. Two factors significantly contribute to the litigation risks. First, as cyber threats become more sophisticated, the likelihood of data breaches increases, which fuels class actions. Second, consumers’ heightened awareness of data privacy rights makes consumers more likely to pursue litigation when their data is compromised.
Significant privacy legislation will become effective in 2025. On January 1, new comprehensive privacy laws took effect in Delaware, Iowa, Nebraska, New Hampshire and New Jersey. Later in the year, Maryland, Minnesota and Tennessee will implement similar legislation. Updates to some state regulations, including the California Consumer Privacy Act (CCPA) and the New York SHIELD Act, will impose stricter data protection requirements.
At the federal level, Congress continues to consider comprehensive artificial intelligence legislation that may include significant privacy standards. Internationally, the EU Cyber Resilience Act will impose cybersecurity and incident/vulnerability reporting requirements on connected products beginning in 2026.
