Data as a commodity
It has been said that “the world’s most valuable resource is no longer oil, but data.” This can be demonstrated by a valuation being placed, for the first time, upon the data held by the National Health Service – at almost £10 billion per year.
The Regulatory Response – GDPR
In recognition of this fast-paced industrial change and the new market for this commodity, regulators have taken action. The introduction by the European Union of the General Data Protection Regulation, which came into force on 25th May 2018, will not have escaped anyone’s attention. The United Kingdom put this onto a domestic legal footing with the passing of the Data Protection Act 2018. The rationale behind this legislative response is to ensure consumers’ data is protected; used in a manner which they would expect; and that they retain certain rights over their own data.
It has also been widely reported that the sanctions for failure to comply with the new legislation are far more severe: the Information Commissioner’s Office (the UK’s regulatory body) can impose fines of up to £20 million or up to 4% of worldwide annual turnover. Earlier this year, British Airways was advised that the ICO intended to impose a fine of £183 million for a data breach that took place in 2018. In light of these developments, it is important to consider what action can be taken to protect consumers’ data, what can be down to mitigate against any breach and what the consequences of a data breach are likely to be.
Cyber-Security / Cyber-Risks
Effective cyber-security procedures are imperative for businesses handling consumers’ data. We have previously looked at the potential risk that cyber-attacks pose to businesses in more detail. In brief, businesses can face cyber-security attacks from:
- Deliberate and targeted malicious attacks from hackers;
- Accidental loss of data by employees; and
- Deliberate internal data breaches by employees or contractors.
Hacking & Accidental Loss
With the first of these risks, the importance of adequate anti-virus software, firewalls, encryption and other equivalent measures, should be obvious to all. However, it is fairly common for people to put off installing automatic updates on their devices. This habit may soon change. Litigation by a Dutch consumer organisation against Samsung was directed at Samsung’s alleged failure to provide updates to its handsets’ operating systems. It was said that this left the consumers’ handsets vulnerable to hacking.
Whilst the litigation ultimately failed because, amongst other things, Samsung was not deemed to be the processor or the controller of the data on the handsets; it serves as a warning that consumers are prepared to take legal action to attempt to compel companies to effectively ensure the security of their personal data, as required by the GDPR and other EU Directives.
Deliberate Internal Breaches
In most instances, accidental loss by employees can be guarded against with the use of encryption. However, instances where employees are given unfettered access to large amounts of data as part of their job, makes deliberate breaches the hardest to guard against. In an ongoing litigation in England & Wales, the supermarket chain Morrisons has been sued by around 5,000 employees for a deliberate data breach by another Morrison’s employee.
The Court of Appeal has decided that the supermarket was vicariously liable for its employee’s actions even though he uploaded the data on a Sunday and from his own home. The court said that what he did was closely related to what he had been asked to do by his employer and so Morison’s were vicariously liable for his actions. In a comment that will concern the insurance industry, the court suggested that the appropriate safeguard was for employers to insure against such risks. In April 2019, Morrisons were granted permission to appeal to the UK Supreme Court. Keep an eye on our website for an update once the appeal has been determined.
Group Litigation and Damages for Data Breaches
We have previously discussed the introduction of group litigation into Scotland and England & Wales. In the context of data breaches, the prospect of group litigation has been on the horizon for some time. This is on the basis that when something goes wrong and there is a data breach, it tends to go wrong in a big way.
The potential financial exposure in these types of cases is, therefore, substantial. Although the Court of Appeal, in Vidal-Hall v Google, said that compensation can be claimed for distress without having to prove financial harm as well; we have previously offered insight into another case (here and here), which appeared to provide some comfort for data controllers and processors. Lloyd v Google provided some relief for the data sector because the court took the view that individual claimants have to prove that they were directly affected in a material way by a data breach. If that is the case, then the possibility of a representative action is more remote.
However, data protection and data breach litigation is a developing area of the law. In a recent case against the Home Office, even though there was no evidence of financial loss to the claimants; the court applied the learning from Vidal-Hall, findingthat harm could take the form of distress. Accordingly, damages were assessed at between £2,500 and £12,500, using psychiatric and psychological damage cases as guideline comparators. Therefore, it is clear that a large breach could lead to a substantial financial liability.
The Court in Morrisons suggested insurance is the appropriate safeguard for business. However, even if insurance cover is in place, it is important to be clear what the policy covers and protects against. For example, does the policy protect against physical damage or effects caused by a data breach or a cyber-security breach? For example, a cyber-attack in Poland in 2008 caused four trams to derail, resulting in physical damage and injury.
At present, property insurance policies, that are silent on the question of cyber related damage, are untested in the courts. This leaves the matter open for the insured and the insurer with the former unsure if their cover will be applicable and the latter being potentially exposed to unmeasured risk.