FAIR vs Resilience
Threatonomics

The State of Complex Claims: Data Privacy Legislation and Lawsuits in the Digital Age 

Five Takeaways on the Current and Future State of Cyber Claims

by Kevin Neslage , U.S. Incident Response Claims Counsel
Published

The ever-evolving landscape of technology is constantly pushing the boundaries of cyber insurance claims. While advancements in tech bring exciting possibilities, outdated legislation is struggling to keep pace. This creates a murky environment where data breaches can quickly morph into complex legal battles.

As the US Claims Operation Lead at Resilience, I’ve seen firsthand the complexities that come with managing modern cyber incidents. From ransomware to deep fake frauds, the threats are continuously evolving, demanding a proactive and informed approach to incident response and risk mitigation. Below are five key insights from my recent panel, “Back to the Future: A Roadmap for the Current & Future State of Cyber Claims,” at last week’s Complex Claims & Litigation Forum, offering a glimpse into the future of cyber claims management.

1. Lawsuits are a growing cost of ransomware and BEC.  

Cyber insurance claims arise from various situations, and understanding the triggers allows for better risk mitigation. Ransomware remains the top culprit, responsible for a staggering 81% of claims involving recovery expenses. However, the financial burden extends beyond data recovery. Legal action – including lawsuits, settlements, and class actions – is becoming increasingly commonplace following major breaches. In 2023, data breach class action filings reached record highs.

It’s not only ransomware incidents that are leading to lawsuits. Business email compromise (BEC) attacks are also leading to more litigation as their impact intensifies. Likewise, the liability in wire transfer losses is often complex, leaving victims with limited legal support. While cyber insurance can help offset the cost of a legal suit, it can rarely cover the entire cost.

Lawsuits are an unpredictable and significant cost of data privacy incidents, and they are likely to grow in prevalence as high-profile breaches receive more media attention. 

2.  New Tech, New Risks, New Lawsuits

The introduction of Artificial Intelligence (AI) has the cybersecurity community on high alert. AI-powered human-engineering attacks are becoming more sophisticated, tricking victims into divulging sensitive information that could spark litigation from both clients and other businesses.

Deepfakes and voice spoofing further complicate matters. These technologies lack a legal framework for detection and use, potentially leading to a surge in cyber breaches, claims, and data privacy lawsuits as AI’s influence grows. There is hope for new legislation in the future. In the meantime, AI is predicted to lead to an uptick in cyber breaches, claims, and data privacy lawsuits. 

The cyber-world is entering into the unknown regarding these new technological capabilities. However, the lack of modern legislation is not unique to AI. Most new technologies lack updated legislation to define the parameters of usage and data privacy, and old laws are being relied on to guide data privacy lawsuits. 

3. Outdated Laws vs. Cutting-Edge Tech: A Recipe for Disputes

The rapid pace of technological advancement dwarfs the glacial speed of legislative reform. This means most data privacy lawsuits rely on outdated laws that are ill-equipped to handle modern complexities. 

Consider the Video Privacy Protection Act (VPPA), which was established in 1988 for a pre-internet world that could never have imagined the introduction of social media. Now, courts interpret “video tape service providers” more broadly, encompassing companies offering recorded video content online. 

Take, for example, the class action lawsuit filed against Chick-fil-A, alleging they allowed a Facebook tracking pixel to monitor users’ video-watching behavior. The data sharing between the organization and Facebook breached the VPPA by sharing unique ID numbers that Facebook was able to use to identify users and send them targeted ads. 

Online tracking is a legal grey area, and several lawsuits have alleged VPPA violations over the past few years. Organizations must be mindful of what data they collect and how that data is used and more carefully consider what data they allow to be tracked when browsing online. 

4. Arbitration: A Streamlined Solution

As data privacy issues are increasingly brought into the courtroom, another less procedurally complex solution is growing in popularity. Arbitration offers an alternative dispute resolution that can be carried out in private, which means a simplified, less expensive, path to resolving conflicts. In an arbitration, lawyers for both sides present evidence to an independent party to make a well-informed and legally binding decision.  

Arbitration clauses are often included in large business contracts to establish a clear pathway for dispute resolution. For B2B and third-party businesses, an arbitration clause can be a preemptive strategy that keeps disputes out of a courtroom. Though arbitration is traditionally for businesses interacting with each other, individuals can contribute to mass arbitration regarding data privacy issues. 

Arbitration offers greater privacy than public lawsuits, which can minimize reputational damage and resolve disputes more quickly and confidentially.

5. Avoid Dispute: being mindful of how your organization uses and stores client data

While filing a claim is a great way to recover financially from an incident, avoiding one altogether is preferable. The best way to prevent a claim is to prevent an incident in the first place. Though cyber incidents are unpredictable, being mindful and following data privacy legislation is an easy step to help organizations avoid costly lawsuits. 

Resilience: Your Partner in Complex Claims

If you should experience an incident, navigating communications post-event requires experienced counsel to create a clear and succinct narrative. Oversharing can open the door to potential lawsuits if the public is made aware of details that were provided improperly. Likewise, expert guidance can help organizations mitigate reputational damage, resolve the incident more quickly, and offer guidance should the need for legal action or arbitration arise.

At Resilience, our expert claims team works hand-in-hand with our clients to keep claims from turning into complex litigation scenarios. When a complex situation is unavoidable, we offer access to a tailored network of forensics and legal experts who can help to navigate any challenges with old legislation, arbitrations, and more.

About the Author
Kevin Neslage , U.S. Incident Response Claims Counsel

Kevin Neslage is a member of the claims team at Resilience Insurance, where he assists insureds through all aspects of the claims process. His primary focus is on incident response, assisting insureds in quickly reacting to a cyber event by utilizing the resources in their cyber insurance policy. In addition, Kevin engages with insureds proactively through Resilience’s unique insured onboarding program, where he joins the Resilience security team in explaining cyber coverage to insureds and advising insureds on specific steps they can take to improve their cyber hygiene. Kevin is an attorney and a certified information privacy professional in both Canada and the US (CIPP/C/US) with the IAPP. Before joining Resilience, Kevin worked as an insurance coverage attorney at some of the largest U.S. and international law firms.

You might also like

Why the OODA loop matters for cybersecurity

In 2004 as I prepared to board a flight to Tokyo, I strolled through a bookstore in ATL’s international concourse looking for something to occupy my mind during the 14 hour flight. Just as I was about to head to my gate empty-handed, I noticed a book that I had just read a review about […]

What DeepSeek means for cyber risk

The January 20 release of DeepSeek, an open source LLM developed by a Chinese research lab, rocked both the tech world and the financial markets. The product quickly demonstrated what appears to be exponentially better energy, cost efficiency, and similar performance capabilities when compared with American-made AI products like OpenAI. It also highlighted a number […]

The importance of vendor risk reports in managing third-party risk

The cybersecurity landscape saw a significant shift in 2024, with third-party risks emerging as a major source of cyber losses. Vendor risk management is far more than a compliance checkbox—it is a vital layer of defense in today’s cybersecurity landscape. And that’s why understanding your risk exposure from vendors through vendor risk reports is so […]

The rise of CISO 3.0 and what it means for cyber risk

The Chief Information Security Officer (CISO) has traditionally been seen as someone who worked behind the scenes, focused on technical details and making sure the company’s network, applications, and data were safe. They were known and appreciated for their tech skills, but maybe not so much their business skills. The CISO of the past was […]

Understanding identity-based attacks and how to defend against them

Breaches used to be primarily carried out via software vulnerabilities: Companies would announce a flaw, take a while to fix it, and attackers would find their way into the system using those exploits. From there they might not only steal information and assets from their primary target, but would also use their access to jump […]

Get ready for threats both old and new in 2025

It’s prediction season and while no one can see into the future, we can definitely take some educated guesses. From increasingly severe ransomware attacks to deepfakes that deceive Fortune 500 companies, we’re keeping an eye out for some major events in 2025. And while many organizations are taking steps to beef up their defenses, the […]