Data breaches and the right to compensation
In this second article in a series looking at litigation risks under the General Data Protection Regulations (GDPR) and Data Protection Bill (the Bill), we consider the risks associated with data breaches and the scope for claims.
Data breaches – the risks
Data breaches are becoming an increasing risk for many organisations, including financial institutions. The growing portability and availability of digital data means that any organisation, even if it has exercised adequate controls, could find itself at risk of a data breach. Under the GDPR and the Bill, a data breach could have a number of significant financial consequences for organisations. These include:
(1) Fines from the Information Commissioner's Office (ICO) of up to the higher of 4% of an organisation's annual global turnover or €20m (£17m);
(2) The right for affected individuals to seek compensation even where the organisation in question has seemingly done everything it can to prevent data from going astray; and
(3) Reputational impacts including a drop in share prices and negative publicity.
Data breaches can arise through any number of internal or external causes. The Ponemon Institute's '2017 cost of Data Breach Study' (sponsored by IBM Security) examined data breaches across the globe and found that 47% of data breaches were caused by malicious or criminal attacks (such as hackers or rogue employees), 25% were caused by human error (i.e. negligence) and 28% resulted from system glitches.
Data breaches in financial services
Taking into account the quantity of personal data, the sensitivity of such data and the potential value of that information, financial institutions are among the organisations most at risk.
A high-profile recent breach was caused by a cyber-attack on Equifax in mid-2017, during which 15.2 million UK records were compromised. Notably, only 3% of those affected were direct customers of Equifax. The remainder were customers of other organisations, including financial institutions, whose information had been passed to Equifax when customers applied for new facilities (such as bank accounts). As a result of the breach Equifax have already had to take steps to advise and protect the information security of c.700,000 UK customers who were placed at risk of financial fraud including identity theft. More recently, Equifax have announced that they will also be writing to an additional 167,000 UK customers whose landline details were obtained during the breach (even though these details were available in public directories).
Open Banking came into effect on 13 January 2018. This requires the UK's largest current account providers to share their customers' data. Whilst it is recognised that this development will lead to more competition and better choice for customers, it is clear that as more parties have access to customers' data, the risks of a data breach increase.
Data breaches – the costs
In light of the potential for large scale breaches, such as that which affected Equifax, the potential consequences for organisations are clear and financial consequences could be far reaching.
The potential for a fine from the ICO has, perhaps wrongly, received the most press attention to date. In reality, whilst the ICO will have the ability to impose fines up to the higher of 4% of annual global turnover or £17m, Elizabeth Denham, the Information Commissioner, has commented that “Issuing fines has always been and will continue to be, a last resort” and that “Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point”.
Therefore, although individuals will have the option to complain to the ICO and a right to judicial remedies against decisions by the ICO, this will not provide individuals with the financial remedy they may feel they deserve. The power to award compensation will remain with the courts.
Current legislation contains a right to compensation for financial loss. However, following the Court of Appeal's decision in Vidal-Hall v Google, this has been extended to include compensation for individuals who suffer "mere distress" as a consequence of a breach, even if they have not suffered financial loss. This right to compensation for distress is now enshrined in the GDPR.
An additional cause for concern for financial institutions will be the recent High Court decision in Various Claimants v WM Morrisons Supermarket plc. In January 2014, an employee of Morrisons leaked 99,998 employees' records online. This included employees' names, addresses, dates of birth, phone numbers, National Insurance numbers, bank account details and salary details. In short, sufficient information for identity theft.
The reason that the employee had access to this personal information was as a result of his role as a senior IT auditor, tasked with compiling and passing the information securely to an external auditor.
The court determined that Morrisons was not primarily liable/directly at fault for the data breach, having exercised "adequate and appropriate controls". However, the court held that there was "sufficient connection between the position in which [the auditor] was employed and his wrongful conduct". Consequently, Morrisons was held vicariously liable for the employee's actions.
This decision is likely to cause concern for organisations, who may have done everything in their power to prevent a breach, but can still be found liable for the actions of a rogue employee. Organisations will also need to be conscious of the fact that neither the GDPR nor the Bill either expressly or impliedly excludes vicarious liability, meaning that this ruling (subject to appeal) could set the bench mark for data protection going forward.
The decision at trial related only to liability, with quantum still to be decided. However, given that large scale data breaches can affect millions of customers, even a modest award per individual could lead to organisations having to make substantial pay-outs. A decision on quantum in the Morrisons case is likely to set a benchmark for the likely level of damages that could be awarded from a breach.
In the meantime, Morrisons have been given leave to appeal the decision, and it is anticipated that they will do so. Not least because the case will set a precedent, meaning that the remaining 95,000 individuals affected by the breach could bring separate claims for compensation.
The Morrisons case has also demonstrated that where a data breach affects numerous individuals and those claims give rise to common or related issues of fact or law, the courts have the power to order that multiple claims can be heard under a group litigation order. Data breaches, where one act can affect millions of individuals, lend themselves to this type of litigation.
In addition to the obvious financial concerns of fines and litigation costs arising from a data breach, organisations will also need to factor in the on-going costs and financial loss. Data breaches naturally receive significant press attention and how this attention is handled can significantly impact on how an organisation can recover from a breach. Following the Equifax data breach its stock price plunged and considerable work has had to be undertaken to rebuild share holder faith.
Following a data breach, an organisation will also need to invest time and money into rebuilding its reputation and reinstating customer trust in its systems and controls. Customers will be keen to understand what steps the organisation is taking to ensure a breach does not happen again.
Everyone has seen the headlines about the potential fines. However, the true cost of a data breach is much wider and potentially more damaging. Organisations will need to take into account both the potential cost of damages that can arise from such a breach and the reputational cost.
Article by Richard Hayllar, partner. Contributions by Emily Black, associate, Alanna Tregear, solicitor and James Tithecott, solicitor.
This article was originally published by Compliance Matters, and is the second in a series on GDPR litigation risks. Please see the first article here.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at February 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.