Avoiding Class Action Data Breach Lawsuits

Corporate Counsel Weekly™ helps corporate lawyers get the big picture on the legal challenges facing corporations today. Practitioners can discover trends on the horizon and stay alert to the full...

By Susan Bokermann

Feb. 2 — “If you think of private data as toxic, you will only collect what you need,” said Renee T. Lawson, vice president and deputy general counsel at Zynga.

Lawson and others discussed many ways that companies can avoid data privacy and security breach class action lawsuits, such as annual reviews of company privacy policies, well-designed arbitration clauses and well-chosen outside counsel, during a Jan. 23 Practising Law Institute in-house counsel panel.

Privacy Policies

“Make sure that you’re doing an annual review of your privacy policy and at least touching base with your business,” said Lawson.

She said that many companies have sweeping privacy policies that don’t particularly match the practices of the company “because everybody put the kitchen sink in there.” She said it’s important to make sure each term in the privacy policy matches the business and that the drafter isn’t just “taking a template.”


Specifically, Lawson highlighted arbitration clauses because they can have a deterrent effect on lawsuits. Noting the high costs of class actions, and the potential exposure and liability for her company, she said that including an arbitration clause “was right for us.”

“I will be your gladiator if you need a gladiator,” said Lawson, but she said it’s better to find a way to come to a settlement or agreement “without battling it out.”

Christina Radocha, director of business and legal affairs at Demand Media, said that her company includes arbitration clauses in some of their agreements, but not all of them. “It is an ongoing conversation,” she said, “about whether arbitration provisions are appropriate in that particular instance.”

Because “the technical aspects” of data and privacy breach class actions are so particular, “it is critical to find” the right outside counsel, Lawson said. She added that she’s a “big fan” of requests for production to help find “the talent that’s out there.”

Radocha added that it’s very important to use outside counsel who are familiar with the particular business and the type of technology that the company uses.


The speakers also discussed cybersecurity insurance, which is emerging as a billion dollar market. Lawson said she likes to think of cybersecurity insurance as something for catastrophes. “If you have a minor security breach, hopefully it’s just minor,” she said, “but if you have a major security breach, it’s major. It can be make-or-break your company.”

Lawson warned that just “checking the box” and having cybersecurity insurance is not enough. The types of breaches vary, as do the types of insurance, and “the exclusions are crazy.”

To contact the reporter on this story: Susan Bokermann in Washington at sbokermann@bna.com

To contact the editor responsible for this story: Ryan Tuck at rtuck@bna.com