It's no longer just about locking people out of files – cyber extortion with data exfiltration will also drive class actions in 2023. Threat actors don't need to manipulate data; they can just steal and distribute. They’ve also made accessing this data easier; traditionally available only on the Dark Web, stolen data is now searchable on publicly accessible websites. Concerns about data are now spurring plaintiffs to action.
Class actions have ticked up – at much smaller notified populations – and will continue to do so. Plaintiffs have started filing data breach class actions for significantly smaller potential class sizes. While third-party litigation is less of an issue elsewhere in the world, global companies must be aware of this trend and the potential impact from their US operations.
Another emerging trend in the US is the filing of multiple class actions by different plaintiffs’ counsel for the same breach. This is driving up attorneys’ fees for settlements, and as more new plaintiffs’ attorneys enter the data breach class action space, it can be harder to settle.
With no singular driver, cyber extortion incidents will continue to be more complicated, more damaging, and harder to resolve.
We are seeing class actions based on notified populations of as few as 1,500, when a year ago, 50,000 notified individuals would be considered small. Thus far, the smaller classes seem to involve impacted SSNs, but not necessarily protected health information.Amanda ThaiCyber Claims Product Specialist, New York