“Data is like garbage; you’d better know what you are going to do with it before you collect it.”
This quote is, alas, not a creative warning from a FTSE 100 Data Protection Officer about the risk of collecting data under the General Data Protection Regulation (GDPR). No, the quote is from Mark Twain, who died more than 100 years before GDPR. Even so, it bears an uncanny resemblance to today’s modern data landscape.
Except data is no longer garbage. Consumer data is now corporate gold. And you’d better know what’s going to happen to you if that gold is compromised, lost or negligently handed over to criminal parties.
Data with destiny
GDPR was implemented in 2018 and replaced the Data Protection Act (DPA) 1998. The regime brought in a slew of responsibilities for data controllers and handlers. In short, there were increased requirements to safeguard personal data with power to enforce chiefly led by the Information Commissioner’s Office (ICO) in the UK. The ICO slapped some high-profiles fines onto companies for data breaches, chief among these being the £183 million levy on British Airways (BA) and £99.2 million to Marriot International, although both were subsequently reduced dramatically to £20 million and £18.4 million respectively.
The fines were a sign of changing times. As data has become a more precious and protected commodity, so too was the potential financial remedy for the loss of data. Data breaches, of course, rarely involve the compromising of a single individual’s personal information but often involves thousands, potentially millions, of users. With such high numbers, group actions become a natural mechanism for remedy. Regulation soon turned to litigation as claimant lawyers looked at way of bringing collective actions.
The first major mass data dispute involved Morrisons employees, whose case went all the way to the UK Supreme Court last year. While the court ultimately ruled in favour of the supermarket, the case was litigated under the now-repealed DPA. Under Section 13 of the Act, damages could be awarded to an individual who “suffers damage by reason of any contravention by a data controller”.
There was little in the way of exact criteria or precedent for data damages under the DPA, not least a legal basis for the recovery of non-financial damages. However, that changed under GDPR.
Hack of the net
Article 82 of GDPR allows victims who suffer damage as a result of a data breach to claim for “material or non-material damage”. Article 82 is the basis on which group actions have been launched against BA over its breach, even down to social media campaigns to drum up interest by the claimant firms.
Claims for damages under GDPR can be brought on the basis that the individual has suffered “material or non-material damage” as a result of the data breach. Some of the potential damages are easy to define (and for companies to compensate individuals for) such as costs incurred as a result of fraudulent spending, credit card charges, costs of replacing identity documents and so on, but “non-material damage” is a more abstract concept which has not yet been tested by the UK courts. However, lessons learned from the US on mass class actions in response to high-profile data breaches tell us that financial compensation for stress or anxiety caused by the loss or theft of personal data is potentially in scope, as well as compensation for potential future damage as a result of not being able to control where data may end up when in the hands of cyber criminals.
Group Litigation Order (GLO) cases and opt-out representative actions are notoriously procedurally complex cases in the UK courts. The procedure is lengthy and costly. There is no expedited process for litigating these claims, and the risk on the lawyers bringing them is only worthwhile if the class is large enough and the potential damages are high enough. This is perhaps best illustrated by the fact that establishing who is in the “Group” in the claims against BA is still being litigated, and potential claimants are still able to join the “Group” until 3 June 2021, almost two years and nine months since BA’s data breach took place.
While statistics at present suggest the number of mass claims for data breaches is low, it is still relatively early days. Indeed, the UK itself has generally not seen the sort of mass claims that US lawyers will be aware of, not least of the heyday of the stock drop plaintiff bar.
Even so, companies may be used to managing litigation risk for issues such as product liability or health and safety, but data protection is a unique beast. Data is perhaps the single biggest and most sensitive asset that an organisation is entrusted with. It only takes one click of a phishing email, a mislaid laptop or nefarious or disgruntled employer to compromise the organisation and leave it liable for a mass data breach claim.
It is worth remembering that class actions involve some inimitable aspects, which make it differ from traditional litigation, especially from a data perspective. Liability is easier to establish, and admit, especially if regulators have already undertaken thorough investigations into the breach and slapped heavy fines on entities. Many defendants will thus be starting from a position of weakness.
Some of the tactics that the claimant bar can deploy are well suited to data breach claims. For instance, deploying the “opt-out” model can create a potential class of millions, spiraling the potential damages. Claimant firms can also play the media, launching a PR campaign to stoke up interest, further raise the profile of the claim and up the reputational damage, adding further pressure on defendants.
A final point came from the height of the stock drop class action boom. A great deal of the claims launched back then had little intention of going to trial but were seeking a settlement. If the plaintiffs had a strong case, a defendant would know that the expense of going to court and the likely bill for damages meant a settlement was to everyone’s advantage (some of the more dubious claimant firms back then were even said to launch weak cases to simply get an easy payout, hoping a company did not want to waste the time, energy and money on going to court).
So best not to think of data like garbage. If you unwisely discard it, dump it or neglect it, you could face being cleaned out with a messy court action.