Over the last decade or so, plaintiff’s lawyers have used both new and old laws to bring class-action suits against firms that have already been victimized by cyber hackers.
The federal Telephone Consumer Protection Act, for instance, designed to protect people from robocalls, has become a powerful threat to firms managing private data of customers, clients and investors.
The number of TCPA suits jumped 800 percent from 2023-24, with more than three-fifths of the suits coming in as putative class actions, according to analysis by consulting firm CompliancePoint.
Last year, Florida, California and Texas accounted for nearly 60 percent of TCPA suits filed, CompliancePoint says.
The anxieties over cybersecurity are widening. A KPMG survey released in mid-April finds that more than four-fifths of LPs view cybersecurity as an essential part of fund governance, with more than a third saying their worries about fund cybersecurity have “significantly” increased.
Collateral damage
For now, private fund managers are collateral damage in the widening litigation, says Starr Turner Drum, a shareholder at law firm Polsinelli who focuses her practice on cybersecurity litigation and routinely defends private equity managers in cases.
“They’re all wanting to build capital and exit,” Drum tells Private Funds CFO“and things like cybersecurity litigation affect that capitalization.”
Just as cyber hackers have gotten more sophisticated over the years, the plaintiff’s bar has gotten more sophisticated, too, Drum says. They’ve discovered novel uses of state and federal wiretapping and privacy laws – some old, some new – to cover the very pixels in media images.
States, feds add to the threat matrix
The states play a role here, too, Drum says. California, for instance, has some of the strictest privacy laws in the Republic. It has its own newly created regulator, the California Privacy Protection Agency. In March, the agency announced its first-ever settlement with a non-data broker – carmaker Honda.
There are other ways states make things harder for firms. Even where states don’t have specialized privacy regulators, most attorneys general routinely publish notices about firms that have suffered a cyber breach. It’s like chum on the water.
Then there’s the decades-old federal Video Privacy Protection Act, passed in 1988 after failed Supreme Court nominee Robert Bork’s video rentals were leaked to the press during his Senate confirmation hearings. The act holds any “provider” of audio-visual services – now including online video sharing – liable for a disclosures about a customer’s rental history “outside the course of normal business.” Each violation is subject to up to $2,500 in actual damages, which makes it attractive to class-action lawyers.
One of the problems here, Drum says, is that defending these suits gets really expensive, really fast. “If you’ve got insurance coverage, you’re going to burn through it. If you don’t have insurance, you’re going to have to pay out of pocket,” she says. Which means that one way or another, managers will need bigger budgets for their cybersecurity programs.
