Data Breach and Privacy Claims – The next big thing?
Following the introduction of holiday sickness claims protocols and fixed fees (April 2019), the PPI claim limitation deadline (August 2019) and the impending changes proposed within the Civil Liability Act (April 2020 at the earliest) there is evidence that CMCs and Claimant Solicitors are considering Data Breach Claims as an area which may provide an opportunity to fill voids created by the reductions in work volumes and profits of its predecessors.
A simple Google search reveals the extent to which this potential new source of business has been identified and actively marketed, although the general public do not appear to have jumped on the bandwagon, so far.
Could this this really be the next PPI?
It depends. Unless the Court of Appeal or the Government take steps that control these claims, they could become expensive and increasingly prevalent. Where a data breach has occurred, the Information Commissioner’s Office (ICO) has already shown that it takes matters extremely seriously. This will be reflected in the claims that are made, where measuring the claimant’s losses will be based on a substantial element of subjectivity.
Are the majority of claims likely to come from publicised data breaches/group actions?
Claimant lawyers are more likely to be interested in individual claimants if they are involved in a serious breach causing substantial distress or loss. However, as with flight delay claims, it may be attractive to handle group claims, even at relatively low value. Those are likely to flow from well publicised breaches that affect a large number of individuals but with modest consequences in terms of distress. These claims will, however, need to pass a ‘threshold’ test (see below).
Defences are probably going to be limited, on the basis that a breach is a breach, even if accidental and appropriate data protection measures are in place. This should be contrasted with lawful or unlawful processing, as defined within GDPR/DPA. However, per Lloyd v Google the court clearly stated that there is a threshold of seriousness. A claim for loss of control of personal data would not arise in relation to “an accidental one-off data breach that was quickly remedied”. Instead, in such a case, the individual would likely need to prove actual damage, non-material damage or distress. Whilst not a defence to liability per se, there does appear to be an opportunity to raise arguments based on causation.
In addition to praying in aid the “threshold of seriousness”, data controllers faced with trivial claims for loss of control damages could seek to strike out such claims as an abuse of process on the basis of the Jameel (2005) principle, i.e., there has been no real and substantial tort. Reliance on the Jameel principle in data protection claims may become more common, particularly if direct marketing attracts high volumes of spurious claims, as we have seen in so many other areas.
What types of data breaches are most common?
A recent study of over 40,000 incidents showed that errors accounted for 21% of all data breaches, which is good evidence that many data protection breaches are not caused intentionally. However, the study also found that over 70% of breaches were financially motivated, with approximately half of all breaches involving hacking in some form. Hackers are becoming increasingly sophisticated in their attempts to crack valuable data stores and any organisation which holds some kind of personal data is now considered to be a target.
Local Authorities and Council Breaches
The ICO has confirmed that there were 223 data breaches involving local governments in the UK in the final quarter of 2018 alone. The majority of these involved data being posted, faxed or emailed to the incorrect participant, but also included loss or theft of paperwork from an insecure location.
Local councils often deal with large amounts of highly sensitive data regarding their constituents, so the scope for damage can be considerable. Figures from the ICO highlight a failure to use BCC in emails as being a particular issue for authorities dealing with education and childcare.
Card skimming and Finance Attacks
Unsurprisingly, the majority of breaches that take place involve the loss of financial data which leads to £190,000 a day being lost to victims from around the UK. Whether by sophisticated scams or intelligent hacking of payment systems, cyber criminals have proven themselves more than capable of compromising some of the world’s biggest brands. In some cases, hackers have been able to surreptitiously access booking systems and then skim personal details from users as they make their payments. In this circumstance, those responsible for the system would be at fault for not providing proper protection for their users.
Every industry involves some use of administration, which necessitates the storing of personal data. This data could relate to employees of the company, clients or beneficiaries of the organisation. Regardless of whom the data is connected to, those responsible for processing it can often be the ones responsible for accidentally disclosing it. Clerical errors can include simple mistakes such as sending an email containing personal data to the wrong recipient, or a letter sent to the wrong address but can also include verbal disclosure of personal data and incorrect disposal of paperwork
Loss or Compromise of Mobile Electronic Devices
In a recent mobile security report, over 600 professionals responsible for the management of mobile devices within their organisations admitted to not protecting their assets as well as they would other devices. Whether by theft, loss or malicious attack, mobile electronic devices are vulnerable to more threats than their desktop counterparts and often contain valuable tranches of personal data. The ICO confirmed that there were 112 reports of lost or stolen devices containing personal data in Q4 of 2018.
Data protection breach compensation amounts will vary from case to case depending on the type of claim that has been made and the severity of the distress or damage caused to the claimant. One claimant firm suggests that cases involving ‘low risk’ personal information that is unlikely to lead to serious distress can be settled from between £750 and £1000 in compensation.
The amount a victim could be entitled to claim for data breach damages will depend on a number of factors, including:
- The nature of the data that has been exposed
- The extent of data that has been exposed
- Who the data has been exposed to
- The impact that this particular data can have on your social and work life
Generally speaking, the more serious the data breach, the more in damages the victim may be entitled to claim under UK law. Most people are more distressed when it comes to more sensitive and personal data, such as medical information. The type of data and who it has been exposed to are two key elements in a legal case.
There are cases that have settled for hundreds of thousands of pounds because of who the victim was and how their private information was exposed.
- Charlotte Church, singer: £600,000
- Jude Law, actor: £130,000
- Sienna Miller, actress: £100,000
- Sadie Frost, designer: £50,000
- Guy Pelly, friend of Prince Harry: £40,000
- Sadie Frost, designer (again!): £260,000
- Paul Gascoigne, former football player: £188,000
- Shane Richie, Actor: £155,000
- Alan Yentob, creative director for the BBC: £85,000
Time will tell whether the data breach claims market will gain the traction those marketing for business hope. Lessons will have to be learned from the initial response to holiday sickness claims, where the ‘pay it and get rid’ policy adopted by many compensators facilitated and encouraged the widespread fraud which followed. A cautious but firm stance on extremely minor or trivial claims is the recommended strategy, but ultimately the solution lies with prevention rather than a cure.
For more information please contact Richard Preston, Partner and Head of Intel.