Litigation Minute: Mitigating the Class Action Risks Posed by the Collection and Storage of Sensitive Data | K&L Gates LLP


The collection and storage of sensitive data may not only attract the attention of government agencies, but also that of potential class action plaintiffs. Government investigations, required disclosures, and media attention regarding alleged breaches of data privacy law or data security incidents can—and often do—lead to the filing of a follow-up class action lawsuit, which can easily compound the costs associated with these allegations and incidents.

In a minute or less, here’s what you need to know to mitigate the risk of such class action lawsuits.

Keep privacy policies up to date

Class action lawsuits related to the collection and storage of sensitive data may involve legal claims under federal and state consumer protection laws or common contractual or fraudulent claims. However, in many cases, the allegations do not necessarily relate to practices involving sensitive data, but to the nature and extent to which these practices have been sufficiently disclosed. Therefore, one of the best ways to avoid potentially costly litigation is to regularly review and update applicable privacy policies.

Specifically, an entity that collects and stores sensitive data should update its privacy policies not only to reflect changing internal practices regarding sensitive data, but also to reflect regulatory and litigation trends. regarding data privacy. For example, an entity may consider keeping an eye on enforcement actions and lawsuits against similar entities as a benchmark to determine best practices for disclosing relevant practices. It is important to note that a strong privacy policy will reflect the increased level of protection given to certain categories of information, such as health information or personally identifiable information, as well as trends in what regulators and courts regard as constituting this information, which is constantly changing. .

Screening of third-party service providers

It is equally important to understand the practices and policies of third-party service providers. It is rare that an entity that collects and stores sensitive data does not use the services of a third party. For example, when developing software or online platforms, developers often rely on third-party software development kits (SDKs) to streamline the development process and incorporate certain pre-packaged features. There are many benefits to using these SDKs, for example, allowing easy integration with social media, analytics and other platforms without extensive coding, and this is a very common practice for many platforms. -numerical forms.

However, in most cases, in order to achieve the desired functionality, some user information may need to be shared with the third-party SDK provider. Therefore, an entity that follows even the most conservative data privacy practices may be subject to enforcement and class action lawsuits, whether founded or not, based on the use of a particular SDK. Screening any third-party service providers will go a long way to protecting any entity that partners with such providers.

Management of data security incidents and government requests

Finally, being prepared to quickly and carefully handle any data security incident or government agency investigation will further reduce the risk of subsequent class action lawsuits. Nothing inspires alleged class action plaintiffs more than controversy, so the quick and uneventful resolution of such occasions is essential.

Comments are closed.