Organisations should prepare for an increase in claims raised by data subjects following cybersecurity incidents.
The combination of heightened cyber risk, potential legislative reform and growing interest in this area from claimant law firms and litigation funders suggests that the threat of data subject claims is a growing corporate risk – both financially and reputationally.
This is further supported by the experiences of the cyber team at international professional services firm Pinsent Masons. The team's experience from working on a significant number of breach response matters is that, in cases where data subjects are notified about a data security breach, 20% have resulted in actual or threatened claims from data subjects.
Stuart Davey
Partner
Organisations need to be prepared to respond to the tactics favoured by claimant firms and claims management companies following a data security breach
Our findings also show that the litigation risk significantly heightens in correlation with the severity of the security breach. Controllers can be almost certain of litigation where there has been regulatory enforcement in respect of the incident. That said, the cyber team has observed examples of data subject claims being made against organisations in the aftermath of data security breaches where regulators have not taken any action in relation to those breaches.
The varying and evolving legal position on group claims
Recent developments have made it easier for data subjects to raise claims as part of a group of individuals similarly impacted by an incident such as a data security breach.
In Europe the law on group claims differs across jurisdictions, but a harmonised model for collective consumer redress is to be introduced at a EU level under a new group claims directive. Actions could be raised on both an 'opt-in' and an 'opt-out' basis under the proposals, subject to protections against vexatious claims being pursued. In Scotland, new legislation has recently come into force which introduces a procedure for group proceedings on an opt-in basis initially, but with provision for cases to be brought on an opt-out basis too.
In the field of data privacy claims specifically, the position is inconsistent across jurisdictions. We are aware of two opt-in class action cases pending before the courts in France, and a pending case involving Facebook currently before the German Federal Court of Justice. In Ireland, a digital rights advocacy body brought the first multi-party action in Ireland against the Irish government in 2019, while in Spain there are currently no collective redress mechanisms available.
Outside Europe, our team in Hong Kong note a renewed interest in collective redress options following the Cathay Pacific data breach. Legislation in Hong Kong currently allows for representative actions, but discussion has been stirred up on the adoption of a class action regime.
An evolving picture in the UK
Provision is contained in the UK's Data Protection Act 2018 for claims to be raised on behalf of groups of individuals affected by breaches of the legislation. Currently, such claims can only be raised by non-profit organisations and involve only individuals who have given their permission to be represented. However, the government is in the process of reviewing representative action provisions and recently consulted on whether to allow non-profits to bring court claims on behalf of individuals without their consent.
In addition, the UK Supreme Court is set to hear an appeal in April 2021 in the Lloyd v Google LLC case, a novel attempt to bring a claim on behalf of several million data subjects under the representative action procedure in rule 19.6 of the Civil Procedure Rules.
Managing claims
If opt-out class actions are ultimately permitted in the data breach space, such cases will be particularly attractive to third party litigation funders. Opt-out claims could involve tens or hundreds of thousands or even millions of people in a group and potentially concern just the question of the level of damages payable if judges are persuaded by earlier regulatory determinations of a breach. The potential overall damages award could be high, even if each individual claimant is ultimately awarded a relatively modest damages sum. It is this overall award which represents an area of significant risk to organisations.
On a practical level, organisations need to be prepared to respond to the tactics favoured by claimant firms and claims management companies following a data security breach. Such tactics can create operational headaches for the recipient organisation, with multiple deadlines running concurrently, and which can be designed to pressure organisations into early settlement of cases. Our annual report explores the cyber team's experience of responding to some of these tactics.
The potential for substantial pay-out exposure should concentrate boards' minds on the importance of robust procedures and governance, including plans for handling potential large scale claims.
Written by
