It Takes More Than Negligence To File A Class Action After A Cybersecurity Event In Tennessee
A new law in Tennessee was recently passed prohibiting private entities from being held liable in class action lawsuits resulting from cybersecurity events unless these events were caused by “willful and wanton misconduct” or “gross negligence.”
The new Tennessee law limits cybersecurity class action lawsuits against private entities to claims based on willful and wanton misconduct or gross negligence, curbing plaintiffs’ efforts from harming breached organizations.
Our clients often report that they feel “triple victimized” after experiencing a data breach or other cybersecurity incident. In the truest sense, the organization is a victim of a very serious computer crime committed by the unknown threat actor. This brings increased scrutiny from its board or shareholders. Second, the notification process is often followed by a governmental regulatory investigation where the client must advocate for itself. Finally, lawsuits also often follow, usually in the form of purported class actions by individuals who allege damages from the unauthorized access and acquisition (and sometimes publication) of their personal information.
Tennessee joins states like Florida, West Virginia, Connecticut, and Ohio, that have enacted similar legislation aimed at providing businesses some relief from the derivative impacts of a cybersecurity event. The new law defines a cybersecurity event as an incident that results in “unauthorized access to, or disruption or misuse of, an information system or nonpublic information.” This is a notably broad definition, and presumably includes most common cyber incidents such as ransomware and business email compromise.
This means plaintiffs’ attorneys will have a high bar to clear when filing data privacy class actions in Tennessee against organizations after a cyber incident. Plaintiffs will now have to prove that the business acted intentionally with a willful disregard for a probable result in disaster, or with a conscious indifference to the consequences of their actions. Lawson v. Hawkins Cty., 2023 Tenn. App. LEXIS 511.
The impact of HB2434 might be more far-reaching. It remains to be seen how the Business Judgment Rule will act to protect Directors and Officers from such potential claims with respect to the decisions made around the purchasing, implementing, and budgeting for cybersecurity.
Similarly, it will be interesting to see how HB2434 shapes forthcoming class actions, especially when considered in conjunction with the forthcoming Tennessee information Protection Act TIPA. TIPA provides affirmative defenses to certain large enterprise businesses, if the entities “reasonably” comply with the National Institute of Standards and Technology (NIST) privacy framework. HB2434 does not set forth any specific information security standards or frameworks that would automatically trigger the safe harbor.
Navigating the everchanging landscape of data privacy and class action defense can be challenging for businesses. PierFerd’s experts in data privacy and class action litigation are ready to assist your business in planning now to be prepared for future challenges. Contact us today!
Howard Panensky at howard.panensky@pierferd.com
Liz Veys at liz.veys@pierferd.com
This publication and/or any linked publications herein do not constitute legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, the author(s) and PierFerd assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, this publication may constitute Attorney Advertising. © 2024 Pierson Ferdinand LLP.
