By Isha Marathe

Feb 12 - (The Insurer) - Insurers and their counsel are taking an offensive stance against what they see as a lucrative privacy litigation landscape for a zealous plaintiff's bar, they said at the NetDiligence Cyber Risk Summit 2025.

The increased regulatory attention on data privacy from the SEC and FTC also means that like plaintiffs, state and federal watchdogs are beginning to view business compliance obligations through the lens of data privacy statutes – not just new ones, but also novel interpretations of old ones, setting up a vulnerable position for insurance companies that may be just be catching up with fast-changing privacy liability.

Indeed, carriers, brokers, and attorneys at the conference raised alarm bells about a near-doubling of privacy class actions as data breaches have spiked and class certification requirements have become more lenient to the consumer.

‘Aggressive’ plaintiffs

Carolyn Purwin Ryan, data privacy and cybersecurity partner at Mullen Coughlin, said that while she saw a surge of privacy liability class actions in 2024, she thinks it’s “going to get worse” in 2025 and beyond.

“I am seeing the tactics that are very aggressive on the plaintiffs bar,” she said.

“The class action bar used to be 10,000 [individuals impacted] – now it's about 2,500, sometimes even lower… I had one the other day that was 31 individuals in terms of the class action that happened.”

While too few class members have typically been a deterrent for courts to certify a class due to inefficiency, Ryan said that in terms of privacy liability, those rules are becoming more lenient in some jurisdictions – so much so that states like California are seeing common-law challenges to put guardrails around a minimum class.

As long as class size favours the consumer, however, plaintiffs are likely to leverage the law to file class actions.

Tama Ashijan, vice president of cyber and tech claims at Tokio Marine, for instance, said that while she knows that most data privacy class actions are likely to go to settlement, carriers shouldn’t make the course easy for plaintiffs.

“You can’t just roll over and pay,” Ashijan said. “We're taking a very aggressive approach at this point, because we're frankly getting tired of this.”

She said that Tokio Marine is exploring various strategies to assume an aggressive posture, “we’re thinking outside the box [like] deposing plaintiffs, pushing for [stringent sign-up rates]” or even “[doing] dark web searches [to find] that none of the people in the class [qualify]”.

Similarly, attorneys like Ryan are attempting to call plaintiffs on their proverbial bluff, hoping to tip the scales in favour of the carriers.

“We are seeing a trend [of] carriers now saying ‘you know what? Let’s challenge this from a motion perspective, let’s go into discovery,’” Ryan said.

“And I welcome that. Because a lot of these cases [traditionally] get resolved early, and the plaintiffs’ bar knows that. So how do we shift that conversation?”

Ryan, like Ashijan, said deposing class members is a helpful way to gain leverage in data breach class actions and “rattle the cages” of plaintiffs.

Regulatory impact

To date, 20 US states have comprehensive data privacy statutes, and tens more are moving up to governors’ desks – each with partially overlapping and distinct compliance obligations that are fast-changing.

When attorneys general sue or slap enforcement actions on businesses for falling out of compliance, what follows soon after is a privacy liability class action.

Most recently, in January, Texas AG Ken Paxton sued Allstate for unlawfully collecting, using, and selling consumer data through its subsidiary Arity. The move raised eyebrows for two key reasons: it was the first suit brought under the state’s privacy statute, the Texas Data Privacy and Security Act (TDPSA), and the first target was an insurance provider.

On 5 February, 25 plaintiffs filed a class action complaint against Allstate in an Illinois court for a violation of their data privacy rights.

Paul Reyes, vice president of business management at Swiss Re, said that as data privacy class actions become low-hanging fruit for plaintiffs, their scrutiny is moving to smaller businesses than ever before.

“[An] increase in class action filings [and] smaller class sizes [means] there's increased potential for particularly those in the SME space to be targets now, as opposed to when they were previously overlooked,” Reyes said.

“For us, that [means] making sure that [we are] pricing appropriate programs going forward [in the SME] space.”

What can insurers do?

A more assertive legal posture is not the only way to cope with an influx of data privacy and privacy liability class actions, attorneys and insurers said.

Michael Colford, senior vice president and cyber and tech product leader at Westfield Specialty, said that it’s important to rake a fine-toothed comb through policies, keep abreast of the regulations, and keep an ear to the floor around how plaintiffs are switching gears.

For instance, privacy liability suits against businesses and carriers are not limited to new statutes.

Colford said that a growing number of suits and enforcement actions are based on new interpretations of old laws, like the Video Privacy Protection Act (VPPA).

“We're seeing claims for violation of VPPA, which was designed in the late [1980s] around video rental history [but] now [in the Meta Pixel lawsuits], there's a new interpretation of something that’s an old regulation,” he said.

“So [we] have to stay ahead of plaintiffs attorneys who are finding these somewhat antiquated laws and modernizing them against insured – so it’s a tough space [and] a continuous evolution of the market that's going to force people to address these new and emerging trends.”

Insurers may also benefit from standardising processes for handling data breach claims, noted Garrett Koehn, chief innovation officer at CRC Insurance Services.

“The biggest evolving area right now is non-breach violations of privacy data,” Koehn said.

“If there's a class action around that area, there's really no consistency in how carriers handle it,” Koehn said. “So it could be appropriately covered. It could be silent, it could be a defence only. It could be a sub-limit. It could be only if the C-suite didn't know about it.

“And so that seems like an area that's a newer one that's not yet settled.”