The GDPR represents a fundamental shift in the risks associated with data breaches for every business. Many more breaches will have to be notified, either to regulators or data subjects. Many more breaches will therefore enter the public domain, with the associated public reputational harm that will follow.
Litigation by data subjects under the DPA
While much has been made of the potentially eye watering fines the GDPR will introduce for serious breaches, less attention has been paid to the fact that businesses will also face an increased risk of post-breach litigation by data subjects. At the moment, after a breach which is notified to data subjects, typically a few well-informed data subjects will threaten, or even issue, proceedings for breach of s.13 of the Data Protection Act. These actions usually claim damages of a few thousand pounds for distress and loss of control of personal data. Due to the cost of defending such claims relative to the damages sought and the associated adverse publicity when claims become public, businesses tend to settle the few claims they do receive quickly, with confidentiality obligations in the settlement agreement.
Increased risk of litigation under the GDPR
After the GDPR, we expect there to be a significantly greater risk for companies than is currently the case, for a number of reasons:
- as mentioned above, many more breaches will enter the public domain;
- more breach notification to the ICO is likely to mean more action against data controllers and processors, which will lead to 'follow-on claims' after a decision notice is published by the ICO (although many claims won't wait that long);
- public awareness of individuals' rights as data subjects, and of data controllers' and processors' obligations is significantly increasing as we get closer to May 2018;
- the GDPR explicitly states that data subjects can obtain damages for what is typically called distress under English law without the need for financial loss (this is the case in English law since Vidal-Hall and others v Google anyway, but it is even more explicit under GDPR); and
- several law firms are already marketing their data litigation and class action experience, and they will actively look to put together classes of claimants. Litigation funders are already looking at funding data subject class actions.
There is relatively little case law on damages for breach of the Data Protection Act and each case will be fact specific depending on the data lost. However, businesses can expect claims seeking damages of between £2,000 to £5,000 (or more in certain circumstances) for each data subject. That is obviously not a significant amount if one or two, or even ten, data subjects bring claims. If a class of 10,000 data subjects brings a group action, the total quantum is then £20,000,000 to £50,000,000. Many breaches involve significantly more than 10,000 data subjects' records.
A move towards US style litigation?
We expect the UK to move towards the US model on data breach litigation. What happens in practice in the USA, is that shortly after a data breach, claimant law firms put together a claim acting on behalf of all potential victims and issue proceedings quite quickly after the breach becomes public. Ironically, what we will almost certainly see is unscrupulous claims management companies sending (mostly unauthorised) marketing texts saying "Are you affected by the data breach at [company x]? Contact us to bring a claim…".
Make sure you ensure your forensic report is privileged
This very significant litigation risk brings into stark relief the importance of getting the initial investigation into a potential data breach right. When a letter is sent on behalf of a class, or proceedings issued, the claimants will seek (and will likely get) early disclosure of several documents. Key among those are the forensic IT reports into the breach itself. As anyone involved in breach response work knows, those reports will often (out of necessity) be equivocal as to the cause of the breach, and what data was exfiltrated. They will also highlight a number of potential security issues which may, or may not, have contributed to the incident. This is particularly the case with preliminary reports. Those documents can be enormously damaging to the chances of defending follow-on claims after a breach, and may significantly impact on what settlement is reached.
Unfortunately, in our experience when we have been instructed by clients to advise later than is ideal, those reports have already been instructed, and sometimes even prepared, without the involvement of legal. This means that it is very difficult to argue that those reports are subject to privilege, and they are, therefore, much more likely to be disclosable in litigation (and to the regulator).
We have seen several instances of major insurers who offer cyber liability insurance advising their insured to instruct one of the insurer's panel forensic IT firms, and not insisting on the involvement of internal or external legal function in that instruction. Not only does this significantly increase the business' risk, it also potentially (depending on the scope of cover) increases the insurer's own risk under the policy.
Similarly, we have seen forensic IT providers refusing to insert what should be entirely uncontroversial wording in a Scope of Work (SoW) which states that the report is prepared for the purposes of potential litigation and regulatory investigation. This contrasts with the approach in the US where reputable forensic IT providers do not accept instruction other than from either internal or external legal function.
UK practices needs to change, otherwise businesses will be significantly weakening their ability to defend follow-on claims after a breach. Appropriate wording can be pre-prepared so that it can quickly be inserted into a contract or SoW, and processes to have either internal or external legal function available on short notice to deal with this issue should be part of any company's incident response plan. In practice, this should not delay instructing forensic IT function, and would put companies that suffer a data breach in a much stronger position than they otherwise would be to defend, or settle on good terms, data subject litigation following a data breach.