Security chiefs worry about class actions after data breach

Most security leaders said they were worried about group legal settlements following a serious data breach, research has revealed. 

A survey by cybersecurity firm Egress revealed that while 85 per cent of respondents were concerned about regulatory fines after a data breach, 90 per cent were worried about group legal actions. 

Three years after the General Data Protection Regulation (GDPR) came into force, the research also found nearly half (47 per cent) of consumers would probably join a class action against an organisation that had leaked their data. 

However, only 67 per cent were aware of their right to take legal action following a personal data breach.

The UK-focused survey involved 250 security leaders and data protection officers, and 2,000 consumers. 

In response to their worries, 91 per cent of security leaders were relying on cyber insurance, either taking out new policies or increasing their cover. 

Michael Stacey, a partner at Russell Cooke, commented: "While class actions for GDPR breaches have the potential to lead to much greater financial exposure for businesses than fines, they are still in their infancy in the UK and it is too early to say how much of an issue they will become.

"In particular, the willingness of the courts to award damages to consumers for anxiety and distress as a result of GDPR breaches, and the evidence required to prove it, is still largely untested."

He pointed out that the Supreme Court decided, in the much publicised Morrisons case, that it should not be vicariously liable for the actions of a rogue employee.

"There are group actions pending against Google, Facebook and Tiktok which may help to define the parameters", said Stacey. 

Google is facing a class action over alleged data breaches, the first case of its kind, brought on the behalf of 4m Apple iPhone users by former Which? director Richard Lloyd.

This action sought damages against Google on the basis that the organisation had secretly tracked some of the individuals’ internet activity for commercial purposes from August 2011 through to February 2012.

The Supreme Court’s judgment is expected in the coming weeks.

Stacey commented: "If so-called 'opt-out' group litigation takes off, the aggregate impact of even small awards to individuals could be very significant and the floodgates could open to many more claims. Regulatory fines are still a big deal. British Airways was fined £20m last year, although this was reduced from the £183m initially proposed by the ICO with the economic impact of Covid-19 being taken into account."

He warned that businesses "would certainly be well advised to review and consider increasing their cyber insurance cover given the uncertainty and potential future exposure".

Egress CEO Tony Pepper said the financial cost of data breach “has always driven discussion around GDPR”.

He commented: “Initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation. 

“Organisations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. 

“With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”