Reading scan time: 5 minutes
​

Your Friday Five:

After the team reviewed 200+ insurance, legal, regulatory, and market-risk articles so you didn't have to, here is the week's top three!

• 1,822 privacy class actions filed in 2025. Seven per business day. And plaintiff firms are now filing complaints before the target's own response team finishes its first memo.
• One TPA breach dragged six insurance carriers into a single class action. $6 million settlement. 1.6 million people in the class. None of the carriers caused the breach.
• Think your website is compliant? Courts rejected the three defenses most firms rely on, all in the past twelve months.

The Nano-Class era arrives: welcoming small class actions

Summary

Small-stakes privacy lawsuits are now becoming a cost of doing business in the U.S.

Plaintiffs filed roughly 1,822 data privacy class actions in 2025. More than seven per business day. Up 18% over 2024 and more than 200% since 2022. Breach size doesn't drive this anymore. Filing volume does.

The engine is AI-powered case sourcing.

Platforms scan AG notices, SEC filings, court dockets, and privacy policies to package cases for plaintiff firms with plaintiffs already lined up. An insurtech that files a required AG notice for a 600-record data mix-up has, in effect, sent an open invite to the plaintiff's bar.

The statutes make the math work at small scale.

California's wiretap law (CIPA) carries $5,000 per violation with no need to prove actual harm. What was once just a CA issue is now spreading across the US. Federal wiretap filings under the ECPA grew 235% in 2025.

A March 2026 ruling widened California's consumer privacy act to cover any unauthorized sharing of personal data, whether on purpose or by mistake. A single analytics pixel on a broker portal can trigger state wiretap, federal wiretap, and consumer privacy claims at once, across multiple states. A regional mutual with a consumer quoting portal running Google Analytics has arguably the same exposure profile as a publicly traded carrier ten times its size. The statute doesn't scale to premium volume.

Each claim needs its own outside counsel, its own defense plan, and its own settlement talks.

So what?

At seven filings per business day, every institution with a website is a target.

Recent court rulings have consistently held that full Gramm-Leach-Bliley and HIPAA compliance does not defend against state-level pixel-tracking claims. An MGA in full federal compliance can still face a viable class action for running standard analytics tools on its site.

Monday morning, ask your IT team one question: how many third-party scripts are running on our portal right now? If the answer takes more than five minutes to produce, you don't have a tracking inventory.

That's where the exposure lives. Build the inventory before a plaintiff's AI does it for you.

Source: LION Deep Research

We run this exercise with clients before every renewal cycle. If you want a second set of eyes on your tracking inventory, we're here. Book a 1:1 call with our team!

Three insurer cases that show how the pipeline works

Summary

United of Omaha Life Insurance.

Cyberattack April 21–23, 2024. Settlement: $300,000. Payments began October 2025. The key detail: the class included anyone whose data touched the quoting pipeline, not just policyholders. For regional insurers that collect personal data during quoting (and that's nearly all of them), prospect data and quote-stage data now carry the same legal exposure as policyholder data. The risk starts at first contact. Not at binding.

Landmark Admin / Multi-Carrier TPA.

One breach at TPA Landmark Admin (May–June 2024) pulled six carriers into a single class action. American Benefit Life, American Monumental Life, Capitol Life, Continental Mutual, Liberty Bankers Life, and Accendo Insurance. The global settlement was $6 million. 1.6 million consumers affected. Final judgment January 2026. Each carrier bore its own defense costs for a flaw in a vendor's platform, not their own.

The case also exposed a tower coordination problem. When a single vendor event triggers cyber, D&O, and E&O notices at once, six carriers across three lines can produce eighteen separate coverage positions on the same event. Defense costs multiply. Settlement coordination stalls out.

California Casualty Indemnity Exchange.

A threat actor accessed the network September 2–8, 2025. Stolen files held Social Security numbers, driver's license numbers, tax IDs, and bank account numbers. At least 6,416 people affected. Within 24 hours of breach notices hitting mailboxes, multiple plaintiff firms had publicly launched class action probes. Complaint drafting was in motion before the company's own response team had finished its work.

The LION Lens

What happened — Three insurer cases produced settlements, multi-carrier lawsuits, and 24-hour plaintiff action from routine data events. None required a massive breach.

Why it matters — Expanded plaintiff pools, vendor chain reactions, and 24-hour filing timelines make institutions easier to target than standard cyber models assume.

Practical implications — Quote-stage data now carries the same legal weight as policyholder data. A single vendor flaw can drag an entire carrier panel into one lawsuit. Plaintiff firms that move in hours outpace response teams that plan in weeks.

So what?

United of Omaha's $300,000 settlement looks modest until you see who was in the class.

The lawsuit risk reaches back to first contact. The policy doesn't have to bind for the exposure to land. If your quoting workflow touches personal data at any point before binding (and it does), that data is now inside the litigation perimeter.

Landmark Admin shows what vendor risk costs.

Three vendor-driven privacy events in a single year, each at $150,000 to $450,000 in defense and settlement, can add 50 to 100 basis points to a regional mutual's expense ratio before any of them pierce the retention. That's an earnings issue, and the kind of cost line AM Best is starting to ask about. Pull your top five vendors by data access. Check whether their contracts include indemnity for privacy claims.

If they don't, that's a conversation that needs to happen with your risk committee before your next E&O renewal, not your procurement team.

The LION POV

Here's how we're advising clients:

Audit personal data handling from first contact through policy issuance. Map every data touchpoint in your pipeline — agent portals, quote tools, online apps and treat each one as a potential class boundary.

Stress-test vendor contracts against the Landmark Admin outcome. If one TPA incident can name six carriers, your vendor program is a coverage issue. Require indemnity clauses and proof of current security controls.

Plan for a 24-hour response window. Line up panel counsel in California, New York, Illinois, Florida, and Texas now. Retain breach counsel before you need them not after the AG notice goes out.

One event = one state = one lawsuit. Recent case outcomes suggest that assumption no longer reflects how privacy litigation unfolds.

Sources: Skinner v. United of Omaha Life Ins. Co. (D. Ct. Douglas County, NE, Case No. D01CI240006396); Newson et al. v. Landmark Admin, LLC, et al. (D. Ct. Dallas County, TX, Case No. DC-25-07674); California Casualty breach notification and investigation filings (November 2025)

This is the work we do every day. If your program hasn't been stress-tested against cases like this, let's talk before your next renewal. Book a 1:1 call with our team!

Your website pixels may be wiretaps, and your cookie banner probably isn't helping

Summary

Fox Rothschild published a 10-question CIPA audit this month.

Their finding: pixel wiretap lawsuits have gone national. Companies are getting sued under multiple laws at once, in multiple states, from a single website visit. Courts have ruled that CIPA applies to companies based entirely outside California, as long as the user is in California.

"CIPA was enacted to protect Californians from secret wiretapping on telephone calls. Today, plaintiffs’ attorneys use it to challenge the tracking technologies virtually every modern website deploys." Add the federal ECPA, and geography offers no defense at all. ECPA was written in 1986 to stop the government from tapping phone lines. Plaintiff firms now use it to sue any company whose website sends browsing data to a third-party tracker.

Florida is now the second-busiest state for pixel lawsuits. ​
​
Courts in Pennsylvania, Illinois, New York, and Virginia have all ruled on ECPA pixel claims. Only three states have carved pixels out of their wiretap laws. California's SB 690 safe harbor stalled in the Assembly and won't take effect before 2027. The tools that trigger claims are standard. Analytics trackers, ad pixels, session replay tools, chatbots (over 100 lawsuits on chatbots alone), and third-party code in mobile apps.

Courts have tossed browse-wrap policies, rejected generic "Ok" banners, and ruled against cookie banners that don't actually block trackers before they fire. There's a coverage angle most firms miss. If your cyber policy warranties that consent tools are properly configured, and courts are ruling they don't actually block trackers before they fire, you may have a warranty problem inside your own program.

A pixel audit doesn't just reduce litigation exposure. It protects the coverage you're already paying for.

Source: Fox Rothschild, Privacy Compliance & Data Security​

So what?

A pixel audit has moved past best-practice tip.

If your firm can't confirm what trackers are live, whether consent blocks them before they fire, and whether the privacy policy matches reality, the exposure is already running. CIPA prices it at $5,000 per event. ECPA prices it at $10,000 per person.

Before your next renewal, run the audit and bring the results to the table. Underwriters are already adding consent-tool warranties and pixel-tracking sublimits to cyber and tech E&O forms. The firms that show up with a clean audit and documented consent configuration get different terms than the firms that show up without one.

The audit is the leverage.

The Bottom Line

The filing volume is automated.

AI-powered plaintiff firms find cases, source plaintiffs, and draft complaints faster than most companies can respond. Class definitions reach into quoting pipelines. Vendor flaws pull entire carrier panels into a single suit. And the three defenses most institutions lean on (federal privacy compliance, privacy policy disclosure, cookie consent banners) have each been rejected by courts in cases decided within the past twelve months.

For directors: if privacy and pixel compliance isn't on the audit and risk committee's agenda and a claim lands, the question shifts from "did the company have adequate controls" to "did the board exercise adequate oversight." That's the same Caremark failure-of-oversight framework that has produced personal liability for directors in other regulated sectors.

What this means at your next renewal.

Underwriters are tightening consent-tool warranties on cyber applications, adding pixel-tracking sublimits to tech E&O and cyber forms, and increasing retentions for accounts without a pre-renewal pixel audit. Average defense cost for a small-class privacy action runs $150,000 to $450,000. A regional carrier or MGA facing a couple of filings in a single year can burn through a $250,000 retention on defense alone before the tower responds.

Walk into renewal with a completed pixel audit and mapped vendor data flows, and you're in a different position.

In Case You Missed It!

A month ago we launched our Six-Line Silent AI Audit series, a three-part Wednesday Intelligence series mapping a financial institution's core policies against the AI exposures most insurance policies were never written to address.

Part 1 covered D&O and EPLI, where "wrongful act" definitions assume a human decided and algorithmic discrimination doesn't map to your form's coverage trigger. Part 2 covered E&O and Cyber, where the professional/product liability boundary for AI-assisted advice is unsettled in every court and deepfake wire fraud falls between three coverage sections without triggering any of them cleanly. Part 3 delivers the full audit framework across Fiduciary and Crime/FI Bond, plus the governance documentation underwriters at leading FI writers are asking for at renewal.

Read Part 1 here, or listen to the audio version here.
​
Read Part 2 here, or listen to the audio version here.

Part 3 out next Wednesday!
​

Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

​https://lionspecialty.kit.com/posts/the-nano-class-era-1-822-privacy-lawsuits-filed-in-2025-three-hit-insurers-we-need-to-talk-about​

And if this briefing was forwarded to you, subscribe directly here.
​
​Stay Covered Out There Y'all,

TASH & FLIP

Co-Founders and Managing Partners

LION Specialty
​
P.S. Privacy lawsuits, AI-driven claims, and expanding board liability are stacking into the kind of multi-front D&O exposure most firms never stress-test until a claim forces the question. Comment BLUEPRINT and we'll send you our D&O Contract Vigilance Blueprint, a 5-day email course on the policy gaps that only show up after a claim is filed.
​​
P.S.S. Nothing in this briefing constitutes legal advice. These are the opinions of the founders. It's market intelligence designed to help you ask better questions of your advisors and make sharper decisions at your next insurance renewal.