30th Floor, North Tower, Beijing Kerry Centre, 1 Guanghua Road, Chaoyang District, Beijing, 100020
+86 10 8519 0011
50th Floor, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
+852 2521 5621
Room 4605, Park Place, 1601 Nanjing West Road, Jing An District, Shanghai, 200040
+8621 6321 1166
Suite 2405, 24/F, SCIA Tower, Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone of Shenzhen, Shenzhen, 518000
+86 755 6123 5666
Select your language
Please accept the geolocation request appearing in your browser
Find other officesThe combination of heightened cyber risk, potential legislative reform and growing interest in this area from claimant law firms and litigation funders suggests that the threat of data subject claims is a growing corporate risk – both financially and reputationally.
This is further supported by the experiences of the cyber team at international professional services firm Pinsent Masons. The team's experience from working on a significant number of breach response matters is that, in cases where data subjects are notified about a data security breach, 20% have resulted in actual or threatened claims from data subjects.
Stuart Davey
Partner
Organisations need to be prepared to respond to the tactics favoured by claimant firms and claims management companies following a data security breach
Our findings also show that the litigation risk significantly heightens in correlation with the severity of the security breach. Controllers can be almost certain of litigation where there has been regulatory enforcement in respect of the incident. That said, the cyber team has observed examples of data subject claims being made against organisations in the aftermath of data security breaches where regulators have not taken any action in relation to those breaches.
Recent developments have made it easier for data subjects to raise claims as part of a group of individuals similarly impacted by an incident such as a data security breach.
In Europe the law on group claims differs across jurisdictions, but a harmonised model for collective consumer redress is to be introduced at a EU level under a new group claims directive. Actions could be raised on both an 'opt-in' and an 'opt-out' basis under the proposals, subject to protections against vexatious claims being pursued. In Scotland, new legislation has recently come into force which introduces a procedure for group proceedings on an opt-in basis initially, but with provision for cases to be brought on an opt-out basis too.
In the field of data privacy claims specifically, the position is inconsistent across jurisdictions. We are aware of two opt-in class action cases pending before the courts in France, and a pending case involving Facebook currently before the German Federal Court of Justice. In Ireland, a digital rights advocacy body brought the first multi-party action in Ireland against the Irish government in 2019, while in Spain there are currently no collective redress mechanisms available.
Outside Europe, our team in Hong Kong note a renewed interest in collective redress options following the Cathay Pacific data breach. Legislation in Hong Kong currently allows for representative actions, but discussion has been stirred up on the adoption of a class action regime.
Provision is contained in the UK's Data Protection Act 2018 for claims to be raised on behalf of groups of individuals affected by breaches of the legislation. Currently, such claims can only be raised by non-profit organisations and involve only individuals who have given their permission to be represented. However, the government is in the process of reviewing representative action provisions and recently consulted on whether to allow non-profits to bring court claims on behalf of individuals without their consent.
In addition, the UK Supreme Court is set to hear an appeal in April 2021 in the Lloyd v Google LLC case, a novel attempt to bring a claim on behalf of several million data subjects under the representative action procedure in rule 19.6 of the Civil Procedure Rules.
If opt-out class actions are ultimately permitted in the data breach space, such cases will be particularly attractive to third party litigation funders. Opt-out claims could involve tens or hundreds of thousands or even millions of people in a group and potentially concern just the question of the level of damages payable if judges are persuaded by earlier regulatory determinations of a breach. The potential overall damages award could be high, even if each individual claimant is ultimately awarded a relatively modest damages sum. It is this overall award which represents an area of significant risk to organisations.
On a practical level, organisations need to be prepared to respond to the tactics favoured by claimant firms and claims management companies following a data security breach. Such tactics can create operational headaches for the recipient organisation, with multiple deadlines running concurrently, and which can be designed to pressure organisations into early settlement of cases. Our annual report explores the cyber team's experience of responding to some of these tactics.
The potential for substantial pay-out exposure should concentrate boards' minds on the importance of robust procedures and governance, including plans for handling potential large scale claims.
Written by
Stay ahead by signing up to our weekly email of news and expert analysis, tailored for you
Data, privacy & cyber
Valid email address
Thanks, we have sent an email to
Please check your inbox to confirm your subscription. The confirmation email may take up to 15 minutes to arrive.
• Check your spam or junk folder
• Ensure your email address was entered correctly.
• You can amend your details and resubmit if required
• If the email has still not arrived, please contact us for assistance
OUT-LAW GUIDE
Businesses across sectors and throughout supply chains are increasingly being advised to consider the risk they are exposed to from growing scrutiny of ‘forever chemicals’.
OUT-LAW GUIDE
Construction law in Ireland sets out obligations in respect of how payment is to be managed under construction contracts.
OUT-LAW GUIDE
Companies entering the Irish market should consider the obligations that they face in law relevant to undertaking construction work in Ireland.
We use cookies that are essential for our site to work. To improve our site, we would like to use additional cookies to help us understand how visitors use it, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. To accept all cookies click ‘accept all’. To reject all optional cookies click ‘reject all’. To choose which optional cookies to allow click ‘cookie settings’. This tool uses a cookie to remember your choices.
Please visit our cookie policy for more information.
