Group litigation following a data breach

Following the discovery of a data breach, businesses are usually primarily concerned with securing their systems, protecting their and their stakeholders’ data and complying with their regulatory obligations. However it is never too early for them to think about the longer-term fall-out of a breach, and in particular, the potential to be on the receiving end of claims for loss or distress arising out of the breach.

From the moment a breach is reported – either in the press or because data subjects are directly notified – the business is likely to be the target of civil claims.

Possible vehicles by which claims might be brought

In England and Wales, where there is to be a claim by a large number of claimants suffering the same or similar loss, the words "group litigation" will spring to mind. Unlike America and its 'op-out' class action approach, other than certain consumer competition claims, multi-party litigation in the English Courts is (currently) managed in an 'opt-in' fashion either by a Group Litigation Order (GLO) or a Representative Action. Individuals are also able to bring their own standalone claim.

Group Litigation Orders

The concept of a GLO has been a feature of English court procedure for more than two decades, but latest HMCTS figures show that the mechanism only gets used a handful of times each year.

GLOs are intended to allow the efficient management of claims which have "common or related issues of fact or law". The court has discretion whether to make such an order.  Each claimant must issue their own claim to participate, meaning it is an opt-in mechanism. Although every individual therefore effectively has their own standalone claim, most claims on the Group register will not be individually considered. Instead, the claim proceeds on the basis of a single action (or actions) for each class of claimant. A class of claimant is intended to represent those claimants on the Group register who share the same characteristics and have suffered the same harm. For example, in a data breach scenario, customers whose names and addresses were breached will form a different class to those whose financial information was also lost.

This means large numbers of claims are handled effectively as one claim proceeding on a single timetable, as opposed to hundreds or thousands of claims in different courts with slightly different pleaded cases. Any issue decided under the GLO will bind all those individuals on the Group register.

Due to the fact that a cut-off date to join the Group register is imposed by the court, there is usually a flurry of activity by law firms and claims management companies to seek out affected individuals to get them to sign up and issue a claim. This leads to increased publicity and usually more claims being issued than would otherwise be the case. That being said, there are costs advantages for all involved in limiting the number of claims that actually proceed and there usually being one lead claimant for the solicitors' firm to deal with, not several.

GLOs are increasingly being funded and insured to make them attractive to claimants – protecting them from adverse costs – which further increases their appeal to otherwise idle claimants.

In the context of a data breach where there is the potential for civil claims from data subjects, we see GLOs being increasingly ordered and businesses should have one eye to the risks of such claims being brought from day one of a breach.

Representative Actions

An alternative to GLOs is the Representative Action. This is where one claimant issues a claim as representative for all the other parties with identical interests. They are not available for groups of claimants (or defendants) where they may have different remedies or different fact patterns.

One key difference from GLOs is t that other members of the represented class, even if they suffer identical damage, are not joined to the action and are not automatically bound by the judgment – without court permission.

To date, representative actions are rare in England as the courts have taken a narrow approach to whether individuals do in fact have the same interest, and this has served to keep the doors shut to an 'opt-out' approach to group litigation. That may all change soon though. The Supreme Court is expected to hand down judgment shortly in the much-anticipated case of Lloyd v Google which will determine, among other things, whether representative actions can proceed on an opt-out basis under English Law.

If the Supreme Court does decide to allow a broad opt-out regime, we expect the number of representative actions following data breaches to increase significantly, and potentially there being a race to issue first by claimant law firms hoping to be the ones leading the claim on behalf of all affected individuals (aside from those who proactively decide not to be a party).

Size and type of claims

Ever expanding basis for damages

The other goal post which is changing over the course of English data privacy jurisprudence is the basis on which an individual can claim damages.

Before the case of Vidal-Hall v Google, a data subject could not claim damages under data protection law unless they had suffered financial loss. After that case, it was clear that an individual could claim damages for distress as well as financial loss.

Lloyd v Google has taken things further by extending the boundary to claims beyond financial loss and distress to "loss of control" of one's data. This is on the basis that it would be difficult for a claimant data subject to show distress over the loss of certain types of data, such as (for example) password login details. The loss of control concept removes any burden on the claimant to show damage, and requires them merely to demonstrate they have suffered a loss of control of their data.

This development follows the landmark decision in the phone hacking case of Gulati v MGN Limited which involved the wholesale hacking of celebrity mobile phones and voice message interception. That case produced the best guidance to approaching the assessment of damages in the judgment of Lady Justice Arden [at 48]:

"Damages in consequence of a breach of a person's private rights are not the same as vindicatory damages to vindicate some constitutional right. In the present context, the damages are an award to compensate for the loss or diminution of a right to control formerly private information and for the distress that the [claimants] could justifiably have felt because their private information had been exploited, and are assessed by reference to that loss".

In addition to this, the recent case of Aven & Ors v Orbis Business Intelligence Ltd, has not only affirmed that damage was not confined to financial loss and that compensation could be awarded for distress and interference with the data subject’s control over their data. The judge also held that where the inaccurate information was seriously defamatory, compensation could be awarded for reputational harm.

Such a finding may not be relevant to a group litigation claim brought in the aftermath of a data breach. Nevertheless, it demonstrates the direction of high speed travel in the terrain of data protection claims brought in the English courts.

Expanding causes of action

The other issue to remember regarding data breach litigation is that there is more than one cause of action available where, at least historically, different damages awards have been given.

Long before data protection claims became popular, the tort of misuse of private information was created from the tort of breach of confidence following the House of Lords decision in the Naomi Campbell case. Indeed, in data beach claims, these torts are often pleaded alongside data protection claims. This is because these torts can be established upon "use" or "misuse" of private or confidential information and are not dependent on the publication of that information.

Pleading several claims at once also increases the opportunity for a larger damages award which, if multiplied across the scale of a large class action of data breach claimants, can make a significant difference.

While always case dependent on the circumstances, from preceding media law cases, it is also clear that damages awarded in misuse of private information claims are larger than those in tradition data protection cases. For example, in TLT v Secretary of State – which involved a breach of a spreadsheet containing data belonging to 1,598 asylum seekers which was downloaded 27 times – damages awards of between £2,500 and £12,500 were made.

In Brown v Metropolitan Police – which saw the disclosure of personal data in the course of a misuse of police powers – the global award of damages for both the misuse of privacy and data protection claims was £9,000. In Aven v Orbis, damages of £18,000 were awarded for a successful data claim based on inaccuracy (allegations about favours for President Putin, which was more akin to a libel claim).

By comparison, ZXC v Bloomberg – which involved a privacy claim related to evidence in a criminal investigation – resulted in damages of £25,000 and Sicri v Associated – which involved the identity of a suspect arrested for terrorism – was much higher.

Scale of publication can also increase the damages in such claims. For example, in Richard v BBC – which involved the widespread broadcast of a police raid on Sir Cliff Richard's property and interview information – £210,000 in damages was awarded (which included a special damages claim). In the Gulati case, the frequency of interceptions over the number of years was a factor, as well as the effect on the claimants and their relationships with others, and this led to awards of between £72,500 to £260,250 being made.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber or Reputation Management & Privacy Protection teams.