This site uses cookies.

Data Breach and Privacy Claims: The next big thing? - Rick Preston, Horwich Farrelly

27/01/20. Following the introduction of holiday sickness claims protocols and fixed fees (April 2019), the PPI claim limitation deadline (August 2019) and the impending changes proposed within the Civil Liability Act (April 2020 at the earliest) there is evidence that CMCs and Claimant Solicitors are considering Data Breach Claims as an area which may provide an opportunity to fill voids created by the reductions in work volumes and profits of its predecessors.

A simple Google search reveals the extent to which this potential new source of business has been identified and actively marketed, although the general public do not appear to have jumped on the bandwagon, so far.

Could this this really be the next PPI?

It depends. Unless the Court of Appeal or the Government take steps that control these claims, they could become expensive and increasingly prevalent. Where a data breach has occurred, the Information Commissioner’s Office (ICO) has already shown that it takes matters extremely seriously. This will be reflected in the claims that are made, where measuring the claimant’s losses will be based on a substantial element of subjectivity.

Are the majority of claims likely to come from publicised data breaches/group actions?

Claimant lawyers are more likely to be interested in individual claimants if they are involved in a serious breach causing substantial distress or loss. However, as with flight delay claims, it may be attractive to handle group claims, even at relatively low value. Those are likely to flow from well publicised breaches that affect a large number of individuals but with modest consequences in terms of distress. These claims will, however, need to pass a ‘threshold’ test (see below).

Defending claims

Defences are probably going to be limited, on the basis that a breach is a breach, even if accidental and appropriate data protection measures are in place. This should be contrasted with lawful or unlawful processing, as defined within GDPR/DPA. However, per Lloyd v Google the court clearly stated that there is a threshold of seriousness. A claim for loss of control of personal data would not arise in relation to “an accidental one-off data breach that was quickly remedied”. Instead, in such a case, the individual would likely need to prove actual damage, non-material damage or distress. Whilst not a defence to liability per se, there does appear to be an opportunity to raise arguments based on causation.

In addition to praying in aid the “threshold of seriousness”, data controllers faced with trivial claims for loss of control damages could seek to strike out such claims as an abuse of process on the basis of the Jameel (2005) principle, i.e., there has been no real and substantial tort. Reliance on the Jameel principle in data protection claims may become more common, particularly if direct marketing attracts high volumes of spurious claims, as we have seen in so many other areas.

What types of data breaches are most common?

Database Hacking

A recent study of over 40,000 incidents showed that errors accounted for 21% of all data breaches, which is good evidence that many data protection breaches are not caused intentionally. However, the study also found that over 70% of breaches were financially motivated, with approximately half of all breaches involving hacking in some form. Hackers are becoming increasingly sophisticated in their attempts to crack valuable data stores and any organisation which holds some kind of personal data is now considered to be a target.

Local Authorities and Council Breaches

The ICO has confirmed that there were 223 data breaches involving local governments in the UK in the final quarter of 2018 alone. The majority of these involved data being posted, faxed or emailed to the incorrect participant, but also included loss or theft of paperwork from an insecure location.

Local councils often deal with large amounts of highly sensitive data regarding their constituents, so the scope for damage can be considerable. Figures from the ICO highlight a failure to use BCC in emails as being a particular issue for authorities dealing with education and childcare.

Card skimming and Finance Attacks

Unsurprisingly, the majority of breaches...

Image ©iStockphoto.com/PashaIgnatov

Read more (PIBULJ subscribers only)...

All information on this site was believed to be correct by the relevant authors at the time of writing. All content is for information purposes only and is not intended as legal advice. No liability is accepted by either the publisher or the author(s) for any errors or omissions (whether negligent or not) that it may contain. 

The opinions expressed in the articles are the authors' own, not those of Law Brief Publishing Ltd, and are not necessarily commensurate with general legal or medico-legal expert consensus of opinion and/or literature. Any medical content is not exhaustive but at a level for the non-medical reader to understand. 

Professional advice should always be obtained before applying any information to particular circumstances.

Excerpts from judgments and statutes are Crown copyright. Any Crown Copyright material is reproduced with the permission of the Controller of OPSI and the Queen’s Printer for Scotland under the Open Government Licence.