Cybersecurity, data protection increasingly seen as a litigation risk: Norton Rose Fulbright survey

Expanding laws and regulations and huge number of cyberattacks leading to litigation

Cybersecurity, data protection increasingly seen as a litigation risk: Norton Rose Fulbright survey

With the wave of cyberattacks and accumulation of data protection regulations in 2023, corporate counsel see cybersecurity and data protection as among this year’s primary litigation risks, according to Norton Rose Fulbright’s 2024 Annual Litigation Trends Survey.

The survey polled 400 respondents – both clients and non-clients – and found that 40 percent said their businesses litigated in the area of cyber and data protection over the last year. Only 33 percent had in 2022. That put cybersecurity and data protection third in the list of most litigated areas among survey respondents, with employment and labour issues followed by contracts coming in at one and two. There was a significant growth in employment and labour litigation, with 65 percent of respondents reporting they had litigated in that area in 2023, up from 49 percent who said the same for 2022.

In addition to cyberattacks and enhanced regulatory risk, the challenges posed by AI and the ever-increasing volume of data are leading factors in the ballooning cybersecurity and data-protection litigation risk. The industries where this perspective was most prevalent were those dealing with massive amounts of sensitive information and consumer data: financial services, healthcare, and retail.

Cybersecurity and data protection were among the many themes of the survey. Respondents also noted that AI poses intellectual property risks, ESG issues are a rising litigation concern, regulatory proceedings will likely continue to grow in frequency, and class actions involving antitrust, securities, and financial fraud are becoming increasingly prevalent.

“Nowadays, everyone in almost any industry is concerned with cyber risk and data protection,” says François-David Paré, partner and Canadian national chair of litigation and disputes at Norton Rose Fulbright.

“The volume of data managed by companies increases exponentially every year. If you couple that with easier access to data, including remote access – I'm thinking web-hosting cloud services, even software providers that nowadays offer a web-based platform – the access to data becomes potentially easier or more prone to breach and also attack.”

The survey’s respondents saw challenges identifying and managing data storage volumes and increasing AI use, which makes it more challenging to track and protect data, as the most significant trends leading to cybersecurity and data protection litigation risk. These were the views of 54 and 52 percent of respondents, respectively. Last year, respondents said “keeping pace with and updating policies to match rapidly evolving data privacy requirements and updating existing cyber and data protection infrastructure” were most responsible for contributing to increased litigation risk exposure in this area.

When cybersecurity and data protection issues get to court, Paré says judges look for whether a company’s behaviour was reasonable – whether a similar company in the same circumstance would have adopted a similar behaviour. Judges will look at what the company has done to prepare for an attack and whether they have protocols in place and have retained professional data breach experts who can respond in the event of an attack. They will also examine what the company did after the attack to stop the leak and prevent it from reoccurring.

“That's what I find interesting about these cases is that sometimes they give you a playbook,” he says. “The judges look at the behaviour of a company and say, ‘This is what they did, and this is what they should have done.’ If you follow those cases, you basically have the playbook on how to behave as a good corporate citizen.”