Not so long ago, following the Court of Appeal’s judgment in the seminal case of Lloyd v Google LLC  EWCA Civ 1599, commentators and media outlets predicted an era where organisations would be submerged in a rising tide of US-style ‘class-action’ data breach claims.
On the contrary, 2021 has given us three recent cases which have decisively reshaped the likely future landscape of these claims. They are:
- Darren Lee Warren v DSG Retail Limited  EWHC 2168 (QB)
- Alan Rolfe & Ors v Veale Wasborough Vizards LLP  EWHC 2809 (QB)
- Lloyd v Google LLC  UKSC 50
Throughout our Data Protection claims series, we have discussed all three cases and their judgments. The overall effects of the judgments on the future landscape of data litigation are cumulative, and they are particularly instructive for ‘data breach’ claims which have involved a cyberattack.
In our view:
- For any case which involves a data breach arising from a ‘hacker’ or ‘cyberattack’, whether an internal or external threat, the only realistic cause of action in the future (against the data controller rather than the attacker itself) will be one under data protection law, now the UK GDPR and/or DPA 2018 (contrast that with the situation where the Defendant has misused personal information, which may permit a BoC or MoPI claim).
- A UK GDPR and/or DPA 2018 claim will centre on arguments about whether or not the Defendant has breached the data security requirements (e.g. Article 5(1)(f) and/or Article 32 of the UK GDPR).
- It will be a complete defence for an organisation to show that they implemented all appropriate technical and organisational measures, therefore it is important to ensure your organisation has good cybersecurity governance measures such as a policy framework including an incident response management plan, and a process to regularly assess your technical controls.
- Even if the Claimant(s) are successful, damages will, in most of these cases, be limited to ‘distress’ (which typically attract lower awards than damages for breach of privacy or loss of control in MoPI claims).
- Damages will not be available in any data litigation cases, whether the cause of action is UK GDPR and/or DPA 2018, BoC or MoPI, where the harm to the Claimant cannot be reasonably substantiated and falls under the de minimis threshold.
- Rapid response by your organisation to contain the data breach and good remediation (as in the Rolfe case) may mean that the Claimant struggles to make out a claim above the de minimis threshold.
- A representative action for damages for an undefined large class of potential claimants is not viable, following Lloyd v Google, as opposed to numerous claims governed by a group litigation order, or several individual claims relating to the same circumstances. Even if a representative action is brought in future for a declaratory judgment following the ‘bifurcated process’ described by the Supreme Court, this will need to be followed up by individualised claims for damages. This should mean that your organisation can more easily assess the total potential exposure to claims, and thus make a reserve in your accounts accordingly.
This is not by any means stopping the rising tide of data claims, which will become ever more prevalent in a digital future. However, the overall effect of these judgments is that in future, we would anticipate that claims arising from personal data breaches or other contraventions of data protection law would be limited to claims in respect of the more serious and egregious breaches, properly particularised and with a claim for damages set out to be assessed on an individualised basis.