Are you compliant?
Now we are in a post-GDPR world, companies may be considering the possible nature of future claims. Besides the ICO, claims may arise from other potentially interested parties such as the FCA, PRA, police, NCSC and insurers.
The consensus among litigation lawyers I have spoken to is that by far the biggest threat is from group litigation. Provided the claimants have suffered materially the same harm, the danger is of claims which are individually not significant but in the aggregate could run into very large sums. Where a large data set is lost, the likelihood is that the same types of data of multiple customers will be compromised, which would satisfy the requirement for materially the same harm. The group would then take one affected individual as being representative of the loss. By contrast, my colleagues and I believe that individual claims are likely to be confined in the main to the lower courts.
Note that there is no absolute requirement for a claimant to have suffered pecuniary loss – Vidal Hall v Google (“distress and anxiety”).
The most likely grounds are (i) incomplete/ delayed responses to SARs, (ii) unauthorised disclosure/ loss of personal data, (iii) failure to provide data portability, (iv) failure to erase/ correct data (see recent HC judgment in NT1/NT2 v Google), and (v) unlawful processing.
There is also the possibility of the threat of a GDPR claim being bundled with another, less serious (in terms of potential damages) claim in order to persuade defendants to settle on terms favourable to the claimant, i.e. to avoid the risk of large ICO fines and reputational damage, particularly in group litigation. However, this was qualified by the very recent costs order (link below) handed down in Various v WM Morrison (a pre-GDPR case, but one which in our view would have the same outcome under GDPR albeit which is being appealed later this year). In that costs order, the defendants received credit for the fact that the claimants had spent large amounts of time and money on the claim of direct liability of the defendant, which was not proved https://1woyw921roz71aldxk2unpkv-wpengine.netdna-ssl.com/wp content/uploads/sites/2/2018/05/Morrisons-Costs-final.pdf although the defendant was held vicariously liable for the data breach intentionally committed by its employee.
Causation in context of GDPR claims may also concern some companies. For example, if an employee maliciously places credit card data of staff on the internet, it is reasonably foreseeable to the defendant employer (if held vicariously liable) that someone might then fraudulently use that card data? There are ever-more sophisticated ways of using personal data, particularly data whose use might not be obvious, and which may involve a chain of criminal acts which are not reasonably foreseeable. It is not easy to predict with certainty how causation would be applied in cases of GDPR data breaches such as this, but it seems logical to conclude that the courts’ starting-point would be the established principles of causation in tort.
Companies would be well-advised to review their policy for reporting of data breaches due to cyber-attacks. The FCA have stated that they believe there has been historic under-reporting and have advised firms that they are expected to report any concern that an attack has taken place or is expected to take place without any delay.
In terms of ICO penalties, Elizabeth Denham has recently stated that enforcement will remain a last resort, but it should be noted that the ICO’s appetite for enforcement is apparently increasing. Although the maximum fine is the higher of EUR 20m or 4% of worldwide turnover under GDPR (previously, it was just GBP 500k under the DPA), some lawyers have suggested that the ICO have implied that a figure of EUR 1m may be the unofficial benchmark for what the ICO regard as a “stiff penalty”.