Dealing with data protection claims

An increasing number of high-profile data breaches and regulatory incidents have been capturing headlines in the UK. As a result, a claims culture in relation to data breach claims in particular, is springing up against organisations of all sizes and across a variety of sectors. 
 
We have summarised some of the types of claims your organisation may receive and have set out our top tips for dealing with one, should you receive one in your in-tray. 

1. What is the nature of the claim?

The most common form of claim we are seeing, particularly within the domain of group action claims, are data breach claims. As an example, these may result from:
  • personal data made public or disclosed to a third party from emails or documents sent to the incorrect recipient, or information disclosed in error, by cyber-attack or a rogue employee;
  • failure to take steps to prevent malign actors within an organisation or third parties with whom an organisation works, from illicitly acquiring data; or
  • misuse of personal data or using data in a way not stated as a purpose in an organisation's policies. This includes claims against companies for using cookies and other tracking software against a user's consent.  

2. Identify the claimant(s)

Once you have identified the nature of the claim, you should ascertain whether a claim is being brought against you by either an individual or by a class of individuals. Common claimants with data protection claims are:
  • Customers;
  • Employees and contractors;
  • Website users (who may or may not become customers). 
As actions by groups or classes of individuals can be significantly more complex than actions by individuals, the rest of this point (2) is devoted to these claims. 
 
Claims from classes of individuals generally fall into two categories: so called "opt-in" and "opt-out" actions.

Opt-in

An "opt-in" claim is brought by a group of individuals who have actively agreed to take part in a claim. In the more high-profile examples, the claims are usually managed by law firms acting for the claimants or by claims management companies and such claims tend to be actively marketed (including on social media and television adverts) to encourage affected individuals to take part. A good example of this is the data breach claim against EasyJet, where allegedly millions of customers' data was accessed by unauthorised actors in May 2020. In this case, affected customers needed to elect to participate in the group action by proving their personal data was affected. 
 
Many of these claims will be brought by claims management companies on the basis of a conditional fee arrangement i.e., a "no-win, no fee " for the client.  For these types of organisations costs recovery is key. Invariably this means that any settlement will involve significant costs in addition to the compensation sought. We have seen claims for compensation in the region of £750 - £1,000 per claimant for minor breaches. This figure could increase substantially if the claimant claims they have suffered particular distress or damage in terms of their mental health as a result of a data breach. 

Opt-out

The second type of claim is an "opt-out" claim, whereby an action is brought on behalf of a class of affected individuals who may not be aware of the claim. Unless an individual has taken active steps to withdraw, they will be included in the action. In the United Kingdom, unlike other jurisdictions such as the USA, these types of actions are not common. 
 
Indeed the recent, seminal case of Lloyd v Google [2021] reduced the likelihood of such claims being used. The Supreme Court considered whether to allow an opt-out group action against Google on behalf of affected iPhone users for alleged data privacy breaches relating to the Safari software. The Court found that it was not possible to bring a class action for damages relating to the loss of control of data under the GDPR's predecessor legislation (to which this claim pertained) as the individual claimants needed to show damage stemming from the infringement and this would need to be considered for each claimant. On that basis, the Court held that the "opt out" group action was not the appropriate vehicle in this situation.
 
However, later cases such as Stadler v Currys Group [2021], relating to a claim for compensation for a data breach under s168 of the Data Protection Act supplementing Article 82 of the UK GDPR, have suggested that damages are likely to be available under the UK GDPR for "non-trivial claims" where there is proof of damage or distress on the part of the claimant.  
Though specific to its facts, Lloyd v Google was a reassuring outcome for businesses that may otherwise have been subjected to a wave of opt-out claims inspired by Lloyd. However, it should be noted that the Supreme Court did not rule out other "opt-out" claims being brought and elected to demonstrate how future claims could be actioned. Therefore, the risk of "opt-out" claims does remain a possibility and the future of these actions will largely depend on whether claims management firms consider such claims to be financially viable.  

3. Top tips for dealing with a data protection related claim

  • Be organised, ensure you have internal processes that allow claims to be spotted, escalated and dealt with. Even though some of the above claims may be opportunistic in motivation, failure to properly respond to communications from or address the concerns of claimants may later prejudice a defence if a claim is filed in the courts. 
  • Some communications received from claimants will identify themselves as "letters before action". It is important that you diarise any deadlines for reply specified in the letter. More formal pre-action approaches (likely from professional claimant organisations, as discussed in point 2 above) will follow the Pre-action Protocol for Media and Communications. As such you will need to ensure you are aware of and able to respond within the set deadlines. Failure to do so, may negatively impact your position if your case does go to trial and runs the risk of an adverse costs order. 
  • Where no date for a reply is included in a letter of claim, you should aim to acknowledge receipt as soon as possible. It may also be appropriate for you to send a holding response to state that you are reviewing the claim and will respond more fully by a certain date. 
  • Carry out an internal fact-find and a search for any relevant documents, to establish the factual background to the claim and compile relevant information to create a timeline of events around the time of the alleged breach and to assist with your defence of that claim.
  • It is important that from an early stage, your organisation provides robust, prompt responses to protect your position against any threatened claim being issued at court (but only once you are in possession of all the facts regarding the incident leading to the threatened claim).
  • Carefully consider how you respond substantively to any allegations. We understand that in many cases, organisations will want to defend claims on a point of principle. However, this should always be weighed against the potential reputational and financial costs if the claim does proceed to court and increased public attention from such an action. Fighting a claim on a point of principle may not be advisable, particularly if you establish that the data breach complained of did indeed take place and in light of its severity (based on the risk to the rights and freedoms of the individual whose personal data was breached).
  • Factor in the likely costs of a claim into your decision making. The longer the dialogue between your organisation and the claimant continues, the more costs will accrue which the claimant will likely seek recovery of as part of any pre-action settlement. Seek advice from specialist solicitors at an early stage for strategic input in this respect. 
  • Put your insurers on notice that you have received a claim and/or consider taking out further insurance to mitigate against any potential losses. You will need to check your insurance policy carefully to see if these circumstances apply. The financial risks posed by claims (particularly group action claims) can be punitive and failure to follow the required notification procedure could prejudice your ability to rely on the insurance. 
We are experienced in assisting organisations to deal with such claims and reach a positive outcome. We are able to advise you on how to best balance the various risks involved and can also assist with interpretation and negotiation with insurers if required. If you require further advice or assistance in relation to a claim resulting from a data breach claim, then please do get in touch with Tom Torkar or Emily Aggett.