How Data Breach Class-Action Lawsuits Are A ‘New Tool’ For MSPs: Expert

While a bad trend for businesses as a whole, MSPs can at least use the rise of class-action suits over breaches to spark discussions with clients, according to insurance broker and author Joe Brunsman.

While a negative trend for the business world as a whole, MSPs can at least use the recent rise of class-action lawsuits over data breaches to spark discussions with clients, according to insurance broker and author Joe Brunsman.

Speaking during XChange Security 2025 in Frisco, Texas, Brunsman told MSPs that the past several years have seen a massive acceleration in class-action suits against companies by groups of individuals whose data was compromised in a breach — with such cases doubling between 2022 and 2024 alone.

[Related: Navy Veteran Erica Dobbs To Fellow MSPs: ‘Lead Through The Chaos No Matter What’]

Crucially, the cases do not just involve large companies: Brunsman pointed to cases of class-action breach lawsuits against a seven-attorney law firm and a 22-partner accounting firm, as well as a medium-sized pharmacy that was sued by its own employees over a breach.

“This whole [idea of], ‘I’m not going to get a class-action claim because I’m just a little tiny law firm in the middle of the Southwest — nope, that’s gone,” said Brunsman, managing member of Arnold, Md.-based insurance brokerage Brunsman Advisory Group and author of several books including “Damage Control: Cyber Insurance and Compliance.“

In other words, “being small won’t save you,” he said.

The situation does have the potential to create risk for some MSPs, given that some class-action breach lawsuits do end up involving an MSP, Brunsman noted.

However, for many MSPs the environment can also present an opportunity to engage clients who may be otherwise difficult to persuade on taking security and compliance seriously, he said.

“This is the new tool in your toolkit that you can talk to clients about,” Brunsman said.

The situation, he said, is ultimately “a bad trend for business at large, a good trend for the MSP community, and kind of a double-edged sword.”

For MSPs looking to clearly demonstrate to their clients what’s at stake with their posture around cybersecurity and compliance, the surge in class-action breach claims could certainly be a worthy topic for discussion, said Bill Suarez, CISO at Southwick, Mass.-based Whalley Computer Associates.

There definitely could be a time and place “to present the data to them that says, ‘If you don’t do this, this is what you’re up against,’” Suarez said.

Additional pressure is coming from the fact that organizations are finding it increasingly difficult to fall back on cyber insurance policies, he noted.

“The insurers are pushing back, making the customers take on a greater responsibility for risk mitigation, because they’re losing their shirts,” Suarez said.