Wilson Elser’s Cvitanovic: New Trump administration brings uncertainty over future of breach disclosure regulations

By James Thaler

Feb 18 - (The Insurer) - The new Trump administration could roll back breach disclosure regulations adopted in recent years, leading those in the cyber community to adopt a “wait and see” approach to advising clients, according to Wilson Elser’s Dominik Cvitanovic.

Cvitanovic spoke extensively about breach disclosure rules in an interview with The Insurer TV at last week’s NetDiligence Cyber Risk Summit in Miami Beach, Florida.

Cvitanovic, who serves as a partner at law firm Wilson Elser, where he is also the co-chair of its data privacy and cybersecurity practice, also detailed how breach victims are evolving their strategies to defend against class action lawsuits.

He highlighted a rule proposed by the U.S. Department of Health and Human Services (HHS) on December 27, 2024 imposing more stringent disclosure requirements on healthcare providers, marking the first time the healthcare breach notification rule had been updated in over a decade.

“And now, with the change in administration, everyone is wondering how much of the proposed rule will survive into the final rule, if it ever is issued,” he explained, adding that healthcare clients are grappling with what federal obligations will mean for potential state liability exposure.

'"WAIT AND SEE" APPROACH'

With Republicans now leading the U.S. government, Cvitanovic said that there has been a sudden pause in regulatory investigations and enforcement actions as the new government takes time to assess its position on the matters.

“So, the question is, where will the administration take the initiatives that were unveiled by the Office of Civil Rights at HHS in 2024, will those continue?”

Cvitanovic also said it remains an open question whether the administration will continue to prioritise ransomware, hacking and risk analysis initiatives.

“Will those still be as front of mind in 2025 under the new administration? It's hard to say. We're just going to have to wait and see how that's going to develop.”

Cvitanovic said that a number of regulations promulgated at both the federal and state level have been on very tight deadlines and done with what he said were “admirable intentions”.

“We want – as state regulators, as federal regulators – more information sharing and I think we all have the same goal in mind, which is to reduce the level of victimisation, reduce the number of ransomware attacks and hacking incidents,” he commented.

“And the question is, do these notification regimes serve that goal? I'd love to see data on it. It's hard for me sitting here to say that they do or do not,” he continued.

“But when it comes to having to post your name to a portal that indicates that you're a victim of a data event as well as the number of persons potentially impacted, does that serve the consumer?”

“I would just ask that the community at large really consider that question going forward, so that we can make sure that any notification regimes actually serve the purpose that we're trying to achieve.”

Cvitanovic said with firms subject to a myriad of regulatory regimes, oftentimes it can be challenging for consensus to emerge on how to follow guidance that’s been issued.

“There's guidance as far as whether you have to notify based on whether certain elements are met, are they accessed or acquired,” he commented.

“And so, those laws have been in place for a good number of years. While on the federal level, you have new rulemaking from the FTC…now you not only have to comply with those state requirements, you now have federal reporting requirements to consider.”

He said there remains a lot of uncertainty with how new regulations will be applied and interpreted, and especially as they relate to specific companies.

“With any new law, there's going to be time before that really settles down,” he commented.

'"ABUNDANCE OF CAUTION" MAY NO LONGER WORK IN DATA BREACHES'

Cvitanovic also discussed the potential for increased disclosure requirements to contribute to the rising tide of data breach class action lawsuits filed against breach victims.

“Lawyers get asked by clients, 'Can someone sue me?' And the answer is yes, it's whether they'll win. That's the big question,” he noted.

The Wilson Elser partner noted that there has been a surge in data breach class action litigation in recent years, with the best strategies for responding or heading off such suits evolving over that time frame.

“That is certainly something that we consider in advising our clients on the appropriate path forward, simply because an abundance of caution approach two years ago might not have likely given rise to a lawsuit, whereby now it does.”

“In every case you have to balance that risk against the knowns and unknowns, and specifically in data breaches we are investigating to confirm who's impacted, and making sure that we get notice letters to those individuals,” he explained.

“And, certainly we do have clients who feel like you can't win for trying,” he commented.

“You comply with the notification laws, only to know with some level of certainty that a complaint is going to be served on you soon. And it's an unfortunate reality of what we do.”

'BREACH DEFENCE COUNSELS HONING IN ON QUESTION OF STANDING'

As data breach class actions become more common, Cvitanovic said one trend he has observed is that those class actions are getting smaller, which is leading to a greater volume of suits being brought.

“That's certainly the most visible trend, but you also see a number of cases where courts are starting to really pin down on standing requirements, and that's something that we certainly are keeping an eye on,” he commented.

“Simply because you received a letter doesn't mean that, in your particular jurisdiction, under that particular law, that you may be able to bring a class action to pursue your rights.”

“For example, just last month you had the Illinois Supreme Court issue a decision that denied or dismissed a data breach class action, a putative one on the basis of standing, stating that under state law, the plaintiff in that case could not make out an injury in fact.”

“And so, it's those decisions that we're really focused on in order to separate those suits involving real injuries from those that are just speculative.”

Cvitanovic said his firm has had some success in getting suits dismissed based on standing grounds where the litigants had been unable to demonstrate they had suffered an injury.

He was also asked whether he thought that as data breach class action case law matures, there is the potential for fewer “nuisance” type suits to be filed.

“We will have to wait and see how the decisions develop, because you have state and federal law,” he commented.

“And the question is, on the plaintiff and defense side, we're going to be arguing standing on the basis of these cases, as well as other potential defenses as they're available, and the plaintiff's bar will be arguing the opposite,” he noted.

“And the question is, will the court system in the various states and on the federal level, will they take a tack that is more aggressive and defense-friendly, or more plaintiff-friendly?”

“Because that will really have an impact on the likelihood of these cases either proliferating further or potentially, seeing a downtick in volume,” he concluded.