Data breach class action lawsuits are already well-established in the United States, but are only developing elsewhere. In the following guest post, Stephen Reilly and Andrew Jones of Beale & Company Solicitors take a look at the possibilities and prospects for data breach class actions in the U.K. A version of this article previously was published as a Beale & Company client alert. I would like to thank Stephen and Andrew for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen and Andrew’s guest post.
USA data breach class actions are commonplace. However, the increasing use of class action type Court procedures combined with hungry third party litigation funders means that similar claims are now on the increase on this side of the Atlantic. In this article, we look at the relevant Court procedures and the data breach class actions making their way through the English courts. Businesses and their cyber insurers should take note – we are poised for a material increase in these types of claims.
Class action procedures in the UK
‘Class actions’ or group litigation enable claimants with similar claims to group together and bring actions collectively against the same defendant(s). There are two main forms of group litigation in England and Wales available for collective data breach litigation:
1) Group Litigation Orders; and
2) Representative Actions.
1) Group Litigation Order (“GLO”)
A GLO is an order by the Court made under CPR 19.11 to provide for the collective management of numerous claims that give rise to “common or related issues of fact or law”. It should be borne in mind that each claim remains substantively separate and the GLO is only a mechanism to manage all those individual claims together for reasons of efficiency. Each claimant pleads individual facts and any damages payable are tailored accordingly. One of the best known GLOs was the RBS Rights Issue Litigation for securities related claims against RBS and its former directors in respect of the £12bn rights issue where the various claimant groups recovered over £800m in damages.
GLOs operate on an “opt-in” basis, whereby claimants are not included in the action unless they take positive steps to join by entering details of their claim into a “Group Register” which is established once the GLO has been made. The proposed claim is usually advertised to alert potential claimants and (for efficient case management) the Court will often direct a cut-off date after which claimants cannot be entered onto the Group Register without the court’s permission. If the limitation period has not expired, claimants may still be able to issue their own individual claims later outside of the GLO.
The rules allow a single Claim Form to be used and usually the Court will order the filing of group Particulars of Claim containing general allegations as well as a separate schedule setting out the facts relied upon and the specifics of damage suffered for each claimant. Up until the point that individual issues need to be determined, the defendant may only need to plead a defence to the group Particulars of Claim. Depending on the Court’s view as to how to manage the litigation best, there may then be determination of preliminary issues and/or a trial of the lead or test claims in order to best deal with all the issues being contested. At that point, the defendant may well need to plead a defence in respect of more specific issues that arise in those particular claims. Any judgment on a GLO issue will be binding on all other claims on the Group Register.
Specific GLO costs rules apply which ring-fence a claimant’s costs liability and do not leave it exposed to all the defendant’s costs. Each claimant is only liable for a several share of the common costs of pursuing the GLO and a several and equal share of any costs awarded to the defendant if the claim does not succeed.
HM Courts & Tribunals Service figures indicate that since their introduction in 2000 only 108 GLOs have been issued.
2) Representative Actions
Representative Actions under CPR 19.6 are an alternative procedure to GLOs and may be made by numerous claimants who have the “same interest” in a claim i.e. they must all have a common grievance and the relief sought must be the same for all claimants. The claim is brought by a representative of all of the claimants who prosecutes the action on both their behalf and on behalf of the entire class. There is no need to list the class members but it must be possible to say of any particular person whether or not they qualify for membership of the represented class by virtue of them having “the same interest”. Any judgment or order given is binding on all class members represented.
Unlike GLOs and more like their American equivalents, Representative Actions are “opt-out” and so all persons falling into the represented class form part of the litigation unless they take positive steps to remove themselves.
The Representative Action “same interest” requirements are a more restrictive test than the test of “common or related issues of fact or law” for GLOs. In addition, the Court has a wide discretion to permit (or not) such claims to proceed which in part explains why such class actions are not as prevalent here as in the USA.
Funding of class actions
In England and Wales, it is permissible for a funder, subject to certain restrictions, to fund litigation in return for a share of the proceeds received by a party. Litigation funding has developed substantially in recent years and class actions represent a potentially lucrative area for funders.
While CFAs and other funding routes are potentially available, the reality is that these types of class actions are unlikely to proceed without third party litigation funders. ATE insurance policies are also usually obtained to meet the costs of a successful defendant.
Class actions and causes of action for data breaches
The common issues and interests involved in mass data breaches (where the data of a large number of data subjects is compromised simultaneously, often via a cyber-attack), therefore potentially lend themselves well to class actions, either via GLOs or Representative Actions depending on which procedure is best suited to the key liability and damage issues in play.
For post-25 May 2018 data breaches, Article 82 of the General Data Protection Regulation (“GDPR”) (given effect in England and Wales by s.168 Data Protection Act (“DPA”) 2018), provides a right to claim compensation for individuals who have suffered “material or non-material damage” as a result of infringement of the GDPR. “Non-material damage” specifically includes “distress”. Recital 85 to the GDPR lists “loss of control” over personal data as another example of the kind of damage that might be caused as a result of a data breach.
The predecessor to these provisions was s.13 of DPA 1998. The DPA 1998 still applies to claims where the data breach was prior to 25 May 2018. The DPA 1998 also enables individuals to claim compensation for pecuniary loss and distress. In the Lloyd v Google LLC case (see further below) the Court of Appeal held that such damages are also in principle capable of being awarded for loss of control of data, even if there is no pecuniary loss and no distress.
Whilst not yet a flood, there has been a steady trickle of cyber-related class actions brought before the courts in the last 24 months. This is in part explained by the fact that important legal issues about how such claims can proceed are still being shaped and established. Up until the Court of Appeal decision in Lloyd v Google LLC, many of these key legal issues had still not been fully considered. The Lloyd v Google LLC case (subject to appeal to be heard by the Supreme Court in late 2020/early 2021) has, however, now moved these issues on, in a potentially pro-claimant manner.
We consider below four of the main cyber-related claims in which claimants have sought to take advantage of these group litigation procedures in the UK: Morrisons, Lloyd, Equifax and British Airways and the implications of these cases for businesses and their cyber insurers.
Various Claimants v VM Morrisons Supermarkets plc
Mr Skelton, a Morrisons employee with a grudge, downloaded payroll data containing personal details of 100,000 Morrisons’ employees (such as names, addresses, NI numbers, salary details and dates of birth), onto a personal USB stick and uploaded this data onto a public file-sharing website. A CD containing a copy of the data was also sent to three newspapers in the UK – although they did not publish the information. Mr Skelton was sent to jail for 8 years for his criminal actions and Morrisons spent over £2m cleaning up the breach.
A GLO was launched, with approximately 9,000 employees issuing a claim against Morrisons for compensation for (i) breach of statutory duty under s.13 of the DPA 1998, and (ii) common law misuse of private information and breach of confidence. (Note that in using the GLO procedure, the approx. 90,000 other potential claimants did not bring claims.) While these breaches were directly committed by Mr Skelton, the Claimants alleged that Morrisons had vicarious liability for his actions.
On 1 April 2020, the Supreme Court found that, on the facts and as he was embarked upon a personal vendetta, Mr Skelton’s wrongful conduct was not sufficiently connected with the acts that he was authorised to do in his employment so as to justify a finding of vicarious liability on Morrisons (see our article on this case, here). Crucially, however, the Court found that it was possible (depending on the facts) for an employer to have vicarious liability under (i) the DPA 1998 (and it will follow, the GDPR and DPA 2018) and (ii) the alleged common law torts of misuse of private information and breach of confidence – even where (as here) the business had done all it reasonably could to protect its data. This may yet prove to be an important avenue of recovery for data breach claimants going forward depending on the facts of any case.
Richard Lloyd v Google LLC
Richard Lloyd, a consumer champion and former “Which?” editor, issued a Representative Action against Google claiming damages on behalf of a class of an estimated 4 million iPhone users in relation to the “Safari Workaround”. In essence, this allowed Google to track the internet activity of these users without their consent and sell their browser generated information (“BGI”) without their consent to third party advertisers.
As in the Morrisons case, Mr Lloyd claimed compensation for each class member under s.13 DPA 1998 for alleged breaches of the Act. In an effort to come within the “same interest” test, however, the claim was restricted to seeking damages for the “loss of control” of data of each class member. The claim did not seek pecuniary or distress loss, recognising that such damage claims would have varied between class members and so prevented use of the CPR 19.6 Representative Action procedure.
The claim is said to be financed by £15.5 million of support from litigation funder Therium, with the Claimants also holding a £12 million ATE insurance policy.
The High Court initially dismissed the claim on the grounds that (i) the individuals had not suffered recoverable “damage” i.e. pecuniary loss or distress under s.13 of DPA 1998 (ii) the class members did not share the necessary “same interest” for a Representative Action and (iii) the Court would have in any event exercised its discretion to disallow the use of the Representative Action procedure where the case was “officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches”.
In October 2019, however, the Court of Appeal overturned the High Court on all issues in a ground-breaking decision that found that:
(i) contrary to the previous orthodox understanding of “damage” as required under s.13 of DPA 1998,a claimant could be compensated for “loss of control” of her data under s13 of the DPA 1998 without having to evidence simultaneous pecuniary loss or distress. It had been common ground between the parties (and the Court of Appeal agreed), however, that if the data breach infringement was trivial or de minimis the Court would be entitled to refuse to make an award of damages;
(ii) based on the “lowest denominator” approach of the claim to seek damages for loss of control only, the estimated 4 million affected individuals did have the “same interest” to allow the Representative Action to proceed – while class members may have had different amounts and differing sensitivity of data harvested by Google, all the claimants had had their BGI taken by Google without their consent, in sufficiently the same circumstances, during the same period and the claim was not seeking to rely on any personal circumstances of individual class members; and
(iii) this was not “officious litigation”. Preventing the claim from proceeding would deprive the Claimants of any remedy where there had been a sustained and arguably deliberate harvesting of the class member’s data.
In March 2020, Google were granted permission to appeal to the Supreme Court on all three key issues. A hearing is now expected in 2021.
Atkinson v Equifax Ltd
In 2017, Equifax Ltd’s American parent company, Equifax Inc, suffered a data breach following a hack which allegedly compromised personal information including credit card details of 143 million individuals, including 15 million UK residents. It was reported that Equifax Inc had agreed to pay up to $700m as part of a settlement in the US. In September 2018, the ICO issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of the UK residents.
Within days of the above favourable Court of Appeal decision in Lloyd v Google, Mr Atkinson sought to bring a Representative Action against Equifax Ltd on behalf of the class of 15m UK claimants. As in the Google case, Mr Atkinson sought to claim compensation for “loss of control” of data without any pecuniary loss or distress claim, and for misuse of private information arguing that Equifax failed to maintain appropriate security around the data affected in the attack. Mr Atkinson’s lawyers said they estimated the total value of the claim to be £100 million.
However, in April, it was reported that Mr Atkinson had decided to withdraw the claim following Equifax’s submission of its Defence, which challenged the Court of Appeal’s decision in Lloyd v Google and the application of the decision in that case to a cyber-attack case. Reports suggest that Equifax’s Defence argued that (i) the lead claimant could have had no expectation of privacy over the information that was affected because the affected data (Atkinson’s name, date of birth and landline phone number) was in any event listed in public sources (ii) the claimant “did not exert any meaningful control over that data” – data which had in the first place been gathered by Equifax from sources other than the subjects themselves and (iii) the claim does not surpass the required impact/damage threshold of “trivial”.
Equifax are now seeking to recover the costs they have incurred in responding to the action, in what could be a harsh lesson for those funding the litigation.
Various Claimants v British Airways PLC
British Airways fell victim to a “formjacking” attack involving user traffic being diverted from the British Airways website to a fraudulent site. Through this false site, the personal data (including BA login details, credit card information, address, email address and travel booking information) of approximately 500,000 users was compromised. An extensive investigation by the ICO resulted in the issue of a notice of intention to fine British Airways £183m (equivalent to 1.5% of BA’s 2017 turnover) for GDPR infringements – albeit the time for the ICO to confirm the fine has recently been extended to allow further time for British Airways’ representations.
In October 2019, affected British Airways customers were granted permission by the High Court to bring claims against the company as part of a GLO. A deadline of January 2021 has been set for individuals to opt-in to the Group Register for the GLO, following which the case will proceed. Several law firms appear to be advertising online for potential claimants offering, “no win-no fee” and ATE backed GLO litigation.
The future for cyber-related class actions
The future of class action data breach claims in the English Courts remains, to some extent, uncertain. However, data breach claims are now already listed in the Courts, which will map out the boundaries of previously untested legal and procedural issues which are key to the future of mass data breach claims in England and Wales.
If the Supreme Court in Lloyd v Google LLC confirms the Court of Appeal’s decision, then we can expect to see a material increase in these types of claims going forward.
Some of the important questions that remain to be answered include the following:
- Whether the more pro-claimant “same interest” test for Representative Actions will be upheld by the Supreme Court. If so, the Representative Actions procedure has the potential to support much larger claims for businesses and their insurers to face going forward, given the “opt-out” basis.
- What is the de minimis threshold of seriousness of data breach to overcome so that damages will be awarded? There is still no clear test with clear factors to assist potential claimants. In Lloyd v Google LLC the Court of Appeal was clearly influenced by the period of time the data harvesting had been going on for, the fact Google was monetising such data and that such harvesting was unknown to the claimants at the time. However, what factors carry what weight in measuring the de minimis threshold still need to be clarified. The potentially relevant factors include those issues considered in Lloyd v Google LLC, the sensitivity of the personal data involved and the impact on the individuals concerned both financially and in terms of possible distress.
- What monetary value do data breach claims have? Whilst direct financial losses are easier to quantify, these are not common in data breach claims. Most mass data breach claims are for damages arising from “distress” and “loss of control” of data and the scale of damages for related GDPR/DPA 2018 breaches is still unknown. The GDPR/DPA 2018 do not specify a sum or provide guidance for the level of any awards to be expected. Will it be £100 each or £5,000 each for millions of claimants in a large-scale data breach? Other than a few notable exceptions, the awards for “distress” under DPA 1998 have generally been modest (such as £750 in Halliday v Creation Consumer Finance  EWCA Civ 333), although the claimants in Morrisons were seeking upwards of several thousand pounds each which would have equated to total compensation of £20m+. In Lloyd v Google LLC, damages of circa £750 per claimant (circa £3billion for the 4m class members) were apparently referenced in pre-action correspondence from the claimants. Many commentators expect that awards under GDPR/DPA 2018 will be higher than under DPA 1998 in any event and will therefore lead to larger exposure on claims.
We anticipate that the use of group litigation in data breach claims will continue to rise in the coming years. The next large-scale class actions on the immediate horizon appear to be Virgin Media (following personal details of up to 900,000 customers being exposed after hackers accessed customer information stored on an incorrectly configured database) and Easyjet (full names, email addresses and travel data that included departure and arrival dates were hacked- said by claimant lawyers to pose security risks to individuals as well as being a gross invasion of privacy). The ICO are investigating both breaches and claimant lawyers are recruiting claimants and are getting headlines by suggesting compensation of up to £5,000 per individual.
The (i) greater public awareness of data rights related potential compensation (ii) growth of litigation funding for class actions (iii) development of a UK specialist bar dealing with mass data breach claims and (iv) the Court’s increasingly accommodative interpretation of class action type Court procedures, are a dangerous mix of ingredients and will create an increasingly risky and volatile environment for data holding businesses and their cyber insurers.
For further information please contact:
+44 (0) 20 7469 0419
+44 (0) 20 7469 0420