This year has brought sweeping changes to the way businesses must respond to data breaches. There are new obligations to notify regulators of data breaches and significant decisions on liability in the Morrisons and Lloyds judgments. Finally, there are important lessons to be learnt from the regulatory fines issued to Equifax and Tesco Bank.
The worrying aspect about data breaches is that they can so easily affect hundreds of thousands, if not millions, of individuals. We round up these developments and consider if the floodgates have opened for liability claims.
Changes to the legal framework
A number of new data breach notification obligations have come into force this year. The table at the bottom of this article summarises the current framework.
The most significant obligation arises under the General Data Protection Regulation which, amongst other things, requires “risky” breaches to be notified to the Information Commissioner. She is reportedly receiving around 500 breach notifications a week and is concerned that some controllers are “over reporting”.
The number of reports may reduce over time as the new system beds in. In the interim, many businesses are likely to take a cautious approach and report borderline breaches on the basis that there is little downside; a minor breach is unlikely to be selected for future enforcement action.
The notification duties under the General Data Protection Regulation are at least harmonised across the European Union. The same is not true for the Network and Information Systems Directive which has been implemented in a slightly different way in each Member State. For example, it does not apply to financial services firms in the UK and sanctions for breach vary significantly. We provide an overview of the implementation of this Directive in Belgium, France, Germany, Spain and the UK, here.
Morrisons – Strict liability for rogue employees
The impact of the laws of vicarious liability on data breaches was recently considered by the Court of Appeal in Morrisons v Various Claimants  EWCA Civ 2339.
The breach is slightly unusual. It was not the result of an attack by a third party and instead was caused by a disgruntled employee, Andrew Skelton, who worked as a senior internal auditor. After making unauthorised use of Morrisons’ postal facilities, he was given formal verbal warning. This left him with a grudge against Morrisons.
Mr Skelton was subsequently asked to help KMPG audit Morrisons. KMPG needed access to Morrisons’ payroll data, which the human resources department provided to Mr Skelton. Mr Skelton provided that data to KPMG using an encrypted USB stick but also copied it onto a personal USB stick. Mr Skelton then, amongst other things, uploaded it onto the internet. This was a serious criminal act for which Mr Skelton was jailed for eight years.
A Group Litigation Order (opt-in class action) was launched and 5,518 employees have now signed up. The case reached the Court of Appeal which upheld the High Court’s judgment. Accordingly:
- Morrisons largely complied with its security obligations under the Data Protection Act 1998 (the breach took place before the GDPR applied). It was therefore not liable for breach of data protection laws. When Mr Skelton uploaded the payroll data to the internet, he did so as an independent data controller. Morrisons was not controller in respect of that processing.
- However, Morrisons was vicariously liable for Mr Skelton’s actions. The initial misuse of the personal data was within the “field of activities” entrusted to Mr Skelton and there was an “unbroken chain” of events leading to Mr Skelton publishing the payroll data on the internet. The fact the breach was not Morrisons’ fault is not relevant. Vicarious liability is strict.
Morrisons has announced they will appeal to the Supreme Court. That appeal may raise a number of important issues including:
- Whether vicarious liability should apply where the employee’s intention is to harm the employer. Mr Skelton’s motive for disclosing the payroll data was to punish Morrisons; by finding Morrisons liable, the Court is furthering that aim. This novel defence failed in the Court of Appeal and seems unlikely to succeed on appeal. Motive is generally irrelevant in cases of vicarious liability.
- Whether data protection laws should displace causes of action for breach of confidence and misuse of private information. There is an argument that the fault-based liability for breach of the Data Protection Act 1998 is inconsistent with strict vicarious liability for defaults by an employee. Again, this argument was rejected by the Court of Appeal.
- Whether the rules on vicarious liability should apply in the same way to data misuse. Cases on vicarious liability have traditionally involved cases of assault or theft. There is an argument that extending these principles to data misuse opens the floodgates to liability given the relative ease by which a single employee can affect thousands of others.
However, the interesting issue is not liability but damages. This is a split trial on liability and damages so this will not be decided until a later date. Given none of the employees have suffered any financial loss, compensation may well be small (though with 99,998 employees affected this could still add up to a large number). The case below casts some light on this issue.
Lloyd v Google – Putting a figure on liability
This case arose out of the “Safari Workaround” - essentially Google’s use of a technical workaround to bypass the cookie settings on the Safari browser and place tracking cookies without the individual’s knowledge or consent. This was a clear breach of privacy laws by Google who was fined by US regulators.
Mr Lloyd launched a representative action against Google to recover damages on behalf of the 4.4 million affected individuals in England and Wales. Mr Lloyd suggested they should receive approximately £750 compensation each, which indicates total liability of up to £3 billion. Google described this as a “contrived and illegitimate attempt to shoe-horn a novel ‘opt-out class action’ into the representative action procedure”.
Mr Lloyd applied to the English courts for permission to serve proceedings out of jurisdiction on Google LLC in California (Lloyd v Google LLC  EWHC 2599). That application was comprehensively rejected.
- The Court decided compensation is only available where there is some form of damage or distress. A technical breach does not give a right to compensation. The Court cannot make an award of "vindicatory" damages, merely to mark the commission of the wrong; this is wrong in principle.
- This means that there is no “flat rate tariff” for compensation. Some users may be able to claim compensation because they suffered actual damage or distress (as presumably was the case in the earlier decision Google Inc v Vidal-Hall  EWCA Civ 311). Some users might have a claim to “negotiation damages”, i.e. be paid a sum to represent the amount of money Google would have paid them to use their information. However, the position of each user is different.
- The fact compensation depends on the circumstances of each class member means that they do not have the “same interest” (a key test for a representative action). Those that have actually suffered damage or distress may have a right to compensation, but those who have not have no right to compensation. Their interests are different.
- In any event, identifying and verifying who was affected by this breach is difficult, if not impossible.
Mr Lloyd has indicated he will appeal, though this may be a struggle given the Court’s conclusion this is “officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches”. Moreover, the “main beneficiaries of any award at the end of this litigation would be the funders and the lawyers, by a considerable margin”.
This was a representative action. It will be interesting to see if these principles are applied to Group Litigation Orders (opt-in class actions) such as the Morrisons case above. While GLOs are not subject to the same strict requirements, they also raise questions about how you award compensation to a large group of claimants who have not suffered any actual loss or are affected very differently.
Equifax – Lessons for intra-group processing
Breach of data protection laws can also result in regulatory sanctions. In September 2018, the Information Commissioner fined Equifax £500,000, the maximum under the Data Protection Act 1998.
The data breach occurred in 2017 and was the fault of its parent, Equifax Inc., who acted as Equifax Limited’s data processor. Equifax Inc. ran a web server using open source software called Apache Struts. A critical vulnerability in Apache Struts was identified on 7 March 2017 and a patch released the same day. However, Equifax Inc. did not apply that patch. Nearly two months later, the web server was still unpatched and Equifax Inc. were hacked resulting in a massive loss of data, including that relating to Equifax Limited.
The size of the fine reflects a number of aggravating factors:
- Equifax Limited failed to undertake a proper risk assessment of Equifax Inc. While Equifax Limited had put Standard Contractual Clauses in place, the clauses did not contain sufficient detail of the security measures applied. They only contained general assertions about the use of “industry leading” security.
- Equifax Inc. only notified Equifax Limited some months after the breach took place.
- Equifax Limited had not audited Equifax Inc., or otherwise checked its security measures particularly regarding patching and storage of passwords.
- There was also a breach of the fifth data protection principle (retention). The service to which the data related had been transferred from Equifax Inc. to Equifax Limited some time ago. In other words, there was no need for Equifax Inc. to continue to hold that personal data.
The breach provides a number of pointers on how to manage intra-group processing arrangements. It also took place under the Data Protection Act 1998. The maximum sanction under the General Data Protection Regulation is much higher, being the greater of Euro 10 million or 2 per cent of annual worldwide turnover (the lower tier of sanctions under the GDPR). It is not clear if there would have been a higher sanction if that breach had occurred now.
Tesco Bank – Failure of processes
The Information Commissioner is not the only regulator with powers to sanction data breaches. In October 2018, the Financial Conduct Authority fined Tesco Bank £16.4 million following a cyber-attack.
The attack took place in November 2016. Fraudsters in Brazil sent a series of fraudulent payment instructions using a payment method known as “PoS91”. This is a known source of fraud. The attack took nearly 48 hours to close down and caused losses of £2.26 million.
The Financial Conduct Authority found Tesco Bank in breach of Principle 2 of the FCA Handbook. This requires a firm to conduct its business with due skill, care and diligence. Some of the key failings arose from poor general security:
- The risk of fraudulent PoS91 transactions was well known. Tesco Bank changed the rules for its credit cards to block these transactions, but did not make similar rule changes for its debit cards.
- Tesco Bank has used sequential PANs (primary account numbers) on their debit cards which made it easier for the attackers to create fraudulent PoS 91 transactions.
Tesco Bank’s response was also inadequate:
- The attacks started at 2:00am on Saturday, 5 November 2016. Tesco’s front line team should have telephoned their specialist fraud team for support. However, they sent an email instead. The relevant mail box was not monitored at the weekend, so the email was not picked up. The specialist fraud team was only phoned much later on in the day. This allowed the fraud to go unchecked for 21 hours.
- When the specialist fraud team were alerted, they coded a rule change to block PoS91 transactions. That rule was put in place at 1:48am on Sunday. However, the fraud team did not check it was working properly. Only when they reconvened at 7:00am Sunday morning did they discover the rule change was ineffective.
Following the attack, Tesco Bank put a comprehensive redress programme in place and co-operated fully with the investigation. As a result, the Financial Conduct Authority reduced the fine by thirty per cent.
The breach illustrates the need not just to have robust processes to respond to cyber-attacks but to test them to ensure they work in practice.
In Ultramares Corporation v. Touche, Cardozo, CJ famously warned against the law creating "liability in an indeterminate amount for an indeterminate time to an indeterminate class". In the case of data breaches these factors may be massive rather than indeterminate, but the same principles apply.
Does the law draw the right balance between the interests of affected individuals and the risk to businesses of potentially ruinous liability? In the Morrisons case, the Court of Appeal suggested that such “Doomsday or Armageddon arguments” could be avoided through insurance. Finding suitable and affordable cover may be easier said than done.
Key breach notification obligations*
|General Data Protection Regulation||May 2018||Controllers of personal data.||Personal data breaches.||All personal data breaches must be recorded. Risky breaches must be notified to the ICO within 72 hours. High risk breaches must be notified to individuals.|
|Network and Information Systems Regulations 2018||May 2018||Operators of essential services. Digital service providers.||Incidents having significant impact on services.||Notification to the relevant competent authority without undue delay and within 72 hours.|
|Payment Services Regulations 2017||January 2017||Payment service providers.||Major operational or security incident.||The FCA must be notified within 4 hours. User must be notified without undue delay if there is an impact on their financial interests|
|eIDAS Regulation||July 2016||Trust service providers.||Breach of security or loss of integrity.||Significant breaches must be notified to the ICO within 24 hours. User must be notified if the breach will adversely affect them.|
|FCA Principles for Business||April 2013**||Financial services firms.||Various.||A firm must notify the FCA of anything it would reasonably expect notice of.|
|Privacy & Electronic Comms. etc. Regulations 2003||May 2011||Personal data breach.||Personal data breach.||The ICO must be notified within 24 hours.|
* This is not a complete list. Other sector specific obligations arise, for example obligations on telecoms operators to notify Ofcom of security breaches under section 105B of the Communications Act.
** These replace the earlier, and very similar, FSA Principles for Business.