Data Mining in the Age of Class Actions: What Privacy Teams Need to Know

Share this post:
Subscribe:
Get the latest news and insights from Integreon delivered to your inbox.

Data breach class actions are no longer a distant risk—they’re a near-certainty. With $70 billion in class action settlements in 2025 and more than 1,800 data breach class actions filed that year alone, the old playbook of “when in doubt, notify everyone” is quickly becoming a liability rather than a safeguard.

That was the central theme of a recent IAPP webinar, “Data Mining in the Age of Class Actions: What Privacy Teams Need to Know,” sponsored by Integreon. The panel brought together voices from both the legal and operational sides of incident response, including Megan Silverman, VP, Cyber Strategy & Solutions, Integreon, Todd Daubert, Dentons, and Todd Panciera, Polsinelli.

Together, they unpacked why data mining has become the linchpin of a defensible breach response, and what privacy teams need to rethink as litigation trends, data volumes, and regulatory expectations continue to shift.

The end of "notify everyone" post data breach

For years, broad notification felt like the safest move: when a breach happened, companies erred on the side of telling as many people as possible. But as Todd Panciera explained, that instinct can backfire. High-profile incidents—like those affecting T-Mobile and MGM—show that broad, early notifications made in the name of transparency can still result in significant litigation exposure, simply because they’re issued before the facts are fully known.

The panel agreed: the shift isn’t just from “broad” to “targeted.” It’s a shift toward quality. As Todd Daubert put it, understanding exactly what data is at stake allows organizations to have more credible, higher-quality conversations with regulators, victims, and business partners, Conversations that are far harder to have when notifications are rushed or overly broad.

Why data mining is the foundation of defensibility

So, what does “quality” actually mean in practice? According to one panelist, effective data mining means going beyond a checklist of legally defined PII terms. Businesses today face a much broader landscape of consumer expectations around what counts as sensitive information, even data that isn’t technically “personal information” under a given statute can still carry real business risk if mishandled.

The panel emphasized that thorough data mining does more than satisfy notification obligations. It helps organizations answer the questions regulators, journalists, and affected consumers are increasingly asking: Why do you have my data? Why do you still have it? What are you doing to protect it? Without a clear view of what data was actually impacted, those questions become impossible to answer with confidence, and that gap in confidence is exactly where legal exposure grows.

Complexity is only increasing

The panelists also pointed to a less-discussed driver behind the shift: the sheer volume and complexity of data now involved in breaches. Organizations frequently discover, in the course of a data mining review, that they’re holding files they didn’t know existed, or records far older than expected.

This creates a dual challenge. On one hand, companies must move quickly to comply with tight regulatory deadlines. On the other hand, rushing the analysis increases the risk of inaccurate or incomplete notifications—the very thing driving today’s litigation wave. Getting this balance right, the panel noted, is now one of the defining challenges for privacy and incident response teams.

Documentation: your narrative for later

A recurring point throughout the discussion was the long-term value of documentation. Every decision made in the early days of a breach response—what was analyzed, why, and how—becomes part of the narrative an organization will later have to defend, whether to a regulator or in litigation.

The panel also addressed a timely legal development: the erosion of attorney-client privilege protections in cases like the Capital One decision. While that ruling makes privilege harder to invoke over cybersecurity investigations, the panelists were clear that it doesn’t make it impossible. Engaging forensic partners through outside counsel, rather than through a company’s standard IT vendor relationships, remains one of the most effective ways to preserve defensibility.

Where AI fits in

Given how much data organizations must now sift through, it’s no surprise that AI came up as a tool for accelerating early-stage analysis. But the panel was unified on one point: AI supports the process, it doesn’t replace it. Human expertise remains essential to ensure the accuracy, context, and legal defensibility that a breach response demands.

As class action filings continue to climb and data volumes grow more complex, privacy teams can no longer treat data mining as a back-office task. It’s the foundation for every decision that follows a breach, from what gets communicated, to how it’s defended down the line. Organizations that invest in high-quality data mining and clear documentation upfront aren’t just meeting a compliance requirement; they’re building the credibility they’ll need if a regulator, journalist, or plaintiff’s attorney starts asking questions.

Interested in how a well-orchestrated data mining approach could strengthen your organization’s breach response and reduce the cost of post breach response? Connect with Integreon’s Cyber Incident Response team to learn more.

Explore more