The increasing risk of the data leak class action

A longer form of this article was originally published by Thomson Reuters Complinet.

Individuals are increasingly empowered to act collectively against organisations which have compromised their data. In December 2017, the High Court found the supermarket chain Morrisons liable for the criminal actions of one of its employees in leaking the personal payroll data of 100,000 employees on the web. Claims were brought against Morrisons by 5,518 employees under a Group Litigation Order (GLO) for breaches of the Data Protection Act 1998, misuse of private information and breach of confidence. Whilst the court made no finding of primary liability against Morrisons on any of the claims, the court concluded that Morrisons was vicariously liable for the actions of its employee. The Morrisons case is the first time in which the courts have shown themselves willing to attribute liability for a data breach vicariously for the actions of a rogue employee, despite there being no finding of primary liability. This is likely to encourage interested groups to bring action against data controllers, particularly those with deep pockets, in circumstances where data has been compromised.

Although "opt-out" class actions of the type seen in the US are not (other than for competition claims) available in England & Wales, there are other mechanisms which will enable individuals and/or representative parties to bring a collective action following a data breach. GLOs allow a large number of individuals to pursue an action together in circumstances where pursuing an action by themselves might be uneconomic. In addition, representative actions under CPR 19 allow a group of claimants to have one individual (or a small number of individuals) pursue an action as a representative of their class. In addition, the GDPR introduces a further option for the representation of individuals whose data has been compromised; Article 80 provides that not-for-profit bodies may lodge complaints on behalf of data subjects and receive compensation on their behalf. Litigation funders, whose role in high profile actions has become increasingly prominent, may be tempted by the scale of such actions to fund these sorts of claims.

These tools have been available to claimants for some time. However, in data breach actions where large numbers of claimants are readily and often immediately identifiable as having the same interests, it seems likely that we will see a growth in the number of these types of actions. These actions may arise from the data subjects themselves, or, as has been seen in relation to Facebook following the recent revelations about its relationship with Cambridge Analytica, from shareholders for any fall in share price as a result of a data breach.

There are several key steps an organisation can take to minimise the risk of finding itself the subject of a data breach class action. Perhaps most obvious among them is to review their own cybersecurity systems and procedures, and those of any third parties to whom they send data, with a view to avoiding data breaches. In addition, if a data breach does happen, making sure that a team of advisors and senior employees is on hand and ready to react urgently, to deal with any IT, legal and PR issues arising, is vital both to contain the breach and to minimise the scope and scale of any subsequent litigation. Training front line employees is also important; data breaches can (and may) happen even with GDPR compliant systems in place. Training employees to look for trends in complaints about data (which may signal a growing issue); timely and transparent reporting of the data breach to customers; and careful training of the customer services team who will have to deal initially with affected customers, may help to minimise the impact of the issue.