Litigation Minute: Mitigating the Class Action Risks Posed by the Collection and Storage of Sensitive Data | K&L Gates LLP
WHAT YOU NEED TO KNOW IN A MINUTE OR LESS
The collection and storage of sensitive data may not only attract the attention of government agencies, but also that of potential class action plaintiffs. Government investigations, required disclosures, and media attention regarding alleged breaches of data privacy law or data security incidents can—and often do—lead to the filing of a follow-up class action lawsuit, which can easily compound the costs associated with these allegations and incidents.
In a minute or less, here’s what you need to know to mitigate the risk of such class action lawsuits.
Keep privacy policies up to date
Class action lawsuits related to the collection and storage of sensitive data may involve legal claims under federal and state consumer protection laws or common contractual or fraudulent claims. However, in many cases, the allegations do not necessarily relate to practices involving sensitive data, but to the nature and extent to which these practices have been sufficiently disclosed. Therefore, one of the best ways to avoid potentially costly litigation is to regularly review and update applicable privacy policies.
Screening of third-party service providers
It is equally important to understand the practices and policies of third-party service providers. It is rare that an entity that collects and stores sensitive data does not use the services of a third party. For example, when developing software or online platforms, developers often rely on third-party software development kits (SDKs) to streamline the development process and incorporate certain pre-packaged features. There are many benefits to using these SDKs, for example, allowing easy integration with social media, analytics and other platforms without extensive coding, and this is a very common practice for many platforms. -numerical forms.
However, in most cases, in order to achieve the desired functionality, some user information may need to be shared with the third-party SDK provider. Therefore, an entity that follows even the most conservative data privacy practices may be subject to enforcement and class action lawsuits, whether founded or not, based on the use of a particular SDK. Screening any third-party service providers will go a long way to protecting any entity that partners with such providers.
Management of data security incidents and government requests
Finally, being prepared to quickly and carefully handle any data security incident or government agency investigation will further reduce the risk of subsequent class action lawsuits. Nothing inspires alleged class action plaintiffs more than controversy, so the quick and uneventful resolution of such occasions is essential.