Litigation Trends: Cybersecurity, data protection, AI drive risk

Cybersecurity and data protection rank as the areas of greatest current exposure and of greatest concern for this year in the retail, consumer markets, and food and beverage industries, according to Norton Rose Fulbright’s 20th Annual Litigation Trends Survey. 

AI, regulatory and ESG disputes were also flagged as key areas of exposure. The report gathered responses from more than 400 general counsel and in-house litigation leaders from a variety of industries across the United States, with nearly 100 respondents identified as being in the retail, consumer markets, and food and beverage industries.

Cybersecurity and data privacy continue as the most significant risk

Forty percent of respondents experienced some form of litigation in this area in 2023, reflecting a sizeable jump from 2022 (33%), and 44% of respondents pointed to cybersecurity litigation as their greatest fear in 2024, leading all other litigation categories.

Cybersecurity and data privacy has been a leading source of disputes and anticipated risk for the past several years in the survey, as cyberattacks and increased regulation have been trending upward. But interestingly, respondents also flagged a new source of cyber risk this year: litigation costs associated with the expanded collection and retention of data.

One respondent stated that this expanded data is “going to make any litigation you have more painful because you have a bigger volume of likely irrelevant data that you will have to sift through.”

We expect a continued increase in risk for the retail, consumer markets, and food and beverage sectors. In addition to the SEC’s cyber incident disclosure requirements, several more states have enacted cyber and data privacy legislation or updated existing laws to reflect these risks, including Texas, Tennessee, Montana, Indiana and Rhode Island.

The growth of this patchwork will continue to pose challenges in complying across jurisdictions while increasing the number of sources of exposure when something goes wrong.

Best practices for mitigation remain:

• Robust use of tools to regulate, restrict, and monitor access;
• Continued training of all personnel, especially as to phishing and social engineering;
• Horizon scanning;
• Continuous improvement processes, including audits and controls testing; and
• Increased vigilance over outside vendors, including review and audit, certification, and ensuring upgraded security when needed.

AI poses a conundrum

Following on from cybersecurity, a new concern respondents expressed is the prevalence of AI. Respondents made clear that AI is a love-hate relationship.

On the one hand, respondents cited AI technology as a driver of increased cyber and IP risk. On the other hand, respondents want their outside counsel and other service providers to use generative AI to increase efficiency and reduce costs.

In addition, increased regulatory focus on AI portends coming risk, as President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, issued in October 2023, signaled an intent to regulate AI technology in the U.S.

U.S. companies should expect to see more regulatory activity around AI in 2024, including state intervention following the pattern of data privacy -- for example, the California Legislature is currently debating significant restrictions on AI technology.

It is imperative for retail, consumer markets, and food and beverage companies to adopt and maintain internal policies and procedures regarding AI use that align with developing voluntary frameworks, as well as continue to track regulatory and litigation developments that may impose mandatory or de facto compliance requirements, respectively.

Regulatory investigations

Regulatory investigations continue to weigh on the minds of respondents, with 41% of retail respondents, 47% of consumer markets respondents, and 35% of food and beverage respondents expecting exposure to increase in 2023 relative to 2022.

Dovetailing from cyber and data privacy, the federal government and many state agencies are focused on consumer protection issues arising from the nearly ubiquitous use of technology in all facets of these sectors, from online marketplaces to payments processing to targeted marketed and advertising.

While it remains imperative for companies in these sectors to have robust policies and procedures around consumer protection, it is more important than ever that these policies be coordinated on a cross-functional basis and reviewed holistically across the enterprise.

ESG continues to drive risk, with DEI posing a key unknown in 2024

The focus on ESG, corporate social responsibility, sustainability, and DEI continues to grow in importance, as one in 10 respondents experienced ESG-related litigation in 2023, as compared to only 2% in 2022. 

Anti-ESG sentiment has also become a prominent factor in risk, as organizations find themselves caught in the middle. However, respondents seem to be seeing weakness in the mettle of anti-ESG advocates, as only 29% of overall respondents expressed concern over anti-ESG regulatory pressures.

Beyond this pitched political battle, greenwashing risk continues to drive in-house counsel concerns, with 54% of overall respondents expecting an increase in environmental disputes in 2024 to be driven by greenwashing and false advertising claims. 

This risk is likely even more acute in light of the SEC’s recently-approved climate disclosure rule (despite pending legal challenges), California’s SB 253 (climate emissions disclosures), SB 261 (climate-related risk disclosures), and AB 1305 (disclosure of substantiation for carbon neutral claims and use of offsets). We also see increased activity in private class actions based on false advertising of green attributes of products and services.

Finally, a new risk issue entered the conversation following the U.S. Supreme Court’s affirmative action ruling. Following this ruling, a variety of entities and institutions have seen legal challenges regarding DEI policies and procedures, whether in hiring and recruiting, procurement, or other areas.

It remains to be seen how successful these challenges will be, but 42% of overall respondents
flagged DEI as an area in which they anticipate increased disputes, leading all social considerations (with human rights (41%) and labor rights (36%) trailing closely behind.

Specific to the retail, consumer markets, and food and beverage sectors, 2024 is likely to see the. passage of legislation in several states requiring companies to disclose information on their supply chain impacts and their plans to mitigate these issues. Companies should keep a close eye on these developments while reviewing existing policies and procedures and preparing to create new ones as the legal challenges and laws evolve.

Looking Ahead

Unfortunately, there are no easy answers to these rising disputes trends. Companies will need to align on risk appetite across internal stakeholder groups, as well as balancing the demands of investors and the potential for brand damage and reputational impacts. Investing in preventative measures can yield positive results, but at significant time and cost.And with a consistently evolving landscape, vigilance is required.