Series
Blogs
UK - Data breach round up: Liability in an indeterminate amount to an indeterminate class?
UK - Data breach round up: Liability in an indeterminate amount to an indeterminate class?
29 October 2018
Series
Blogs
29 October 2018
This year has brought sweeping changes to the way businesses must respond to data breaches. There are new obligations to notify regulators of data breaches and significant decisions on liability in the Morrisons and Lloyds judgments. Finally, there are important lessons to be learnt from the regulatory fines issued to Equifax and Tesco Bank.
The worrying aspect about data breaches is that they can so easily affect hundreds of thousands, if not millions, of individuals. We round up these developments and consider if the floodgates have opened for liability claims.
A number of new data breach notification obligations have come into force this year. The table at the bottom of this article summarises the current framework.
The most significant obligation arises under the General Data Protection Regulation which, amongst other things, requires “risky” breaches to be notified to the Information Commissioner. She is reportedly receiving around 500 breach notifications a week and is concerned that some controllers are “over reporting”.
The number of reports may reduce over time as the new system beds in. In the interim, many businesses are likely to take a cautious approach and report borderline breaches on the basis that there is little downside; a minor breach is unlikely to be selected for future enforcement action.
The notification duties under the General Data Protection Regulation are at least harmonised across the European Union. The same is not true for the Network and Information Systems Directive which has been implemented in a slightly different way in each Member State. For example, it does not apply to financial services firms in the UK and sanctions for breach vary significantly. We provide an overview of the implementation of this Directive in Belgium, France, Germany, Spain and the UK, here.
The impact of the laws of vicarious liability on data breaches was recently considered by the Court of Appeal in Morrisons v Various Claimants [2018] EWCA Civ 2339.
The breach is slightly unusual. It was not the result of an attack by a third party and instead was caused by a disgruntled employee, Andrew Skelton, who worked as a senior internal auditor. After making unauthorised use of Morrisons’ postal facilities, he was given formal verbal warning. This left him with a grudge against Morrisons.
Mr Skelton was subsequently asked to help KMPG audit Morrisons. KMPG needed access to Morrisons’ payroll data, which the human resources department provided to Mr Skelton. Mr Skelton provided that data to KPMG using an encrypted USB stick but also copied it onto a personal USB stick. Mr Skelton then, amongst other things, uploaded it onto the internet. This was a serious criminal act for which Mr Skelton was jailed for eight years.
A Group Litigation Order (opt-in class action) was launched and 5,518 employees have now signed up. The case reached the Court of Appeal which upheld the High Court’s judgment. Accordingly:
Morrisons has announced they will appeal to the Supreme Court. That appeal may raise a number of important issues including:
However, the interesting issue is not liability but damages. This is a split trial on liability and damages so this will not be decided until a later date. Given none of the employees have suffered any financial loss, compensation may well be small (though with 99,998 employees affected this could still add up to a large number). The case below casts some light on this issue.
This case arose out of the “Safari Workaround” - essentially Google’s use of a technical workaround to bypass the cookie settings on the Safari browser and place tracking cookies without the individual’s knowledge or consent. This was a clear breach of privacy laws by Google who was fined by US regulators.
Mr Lloyd launched a representative action against Google to recover damages on behalf of the 4.4 million affected individuals in England and Wales. Mr Lloyd suggested they should receive approximately £750 compensation each, which indicates total liability of up to £3 billion. Google described this as a “contrived and illegitimate attempt to shoe-horn a novel ‘opt-out class action’ into the representative action procedure”.
Mr Lloyd applied to the English courts for permission to serve proceedings out of jurisdiction on Google LLC in California (Lloyd v Google LLC [2018] EWHC 2599). That application was comprehensively rejected.
Mr Lloyd has indicated he will appeal, though this may be a struggle given the Court’s conclusion this is “officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches”. Moreover, the “main beneficiaries of any award at the end of this litigation would be the funders and the lawyers, by a considerable margin”.
This was a representative action. It will be interesting to see if these principles are applied to Group Litigation Orders (opt-in class actions) such as the Morrisons case above. While GLOs are not subject to the same strict requirements, they also raise questions about how you award compensation to a large group of claimants who have not suffered any actual loss or are affected very differently.
Breach of data protection laws can also result in regulatory sanctions. In September 2018, the Information Commissioner fined Equifax £500,000, the maximum under the Data Protection Act 1998.
The data breach occurred in 2017 and was the fault of its parent, Equifax Inc., who acted as Equifax Limited’s data processor. Equifax Inc. ran a web server using open source software called Apache Struts. A critical vulnerability in Apache Struts was identified on 7 March 2017 and a patch released the same day. However, Equifax Inc. did not apply that patch. Nearly two months later, the web server was still unpatched and Equifax Inc. were hacked resulting in a massive loss of data, including that relating to Equifax Limited.
The size of the fine reflects a number of aggravating factors:
The breach provides a number of pointers on how to manage intra-group processing arrangements. It also took place under the Data Protection Act 1998. The maximum sanction under the General Data Protection Regulation is much higher, being the greater of Euro 10 million or 2 per cent of annual worldwide turnover (the lower tier of sanctions under the GDPR). It is not clear if there would have been a higher sanction if that breach had occurred now.
The Information Commissioner is not the only regulator with powers to sanction data breaches. In October 2018, the Financial Conduct Authority fined Tesco Bank £16.4 million following a cyber-attack.
The attack took place in November 2016. Fraudsters in Brazil sent a series of fraudulent payment instructions using a payment method known as “PoS91”. This is a known source of fraud. The attack took nearly 48 hours to close down and caused losses of £2.26 million.
The Financial Conduct Authority found Tesco Bank in breach of Principle 2 of the FCA Handbook. This requires a firm to conduct its business with due skill, care and diligence. Some of the key failings arose from poor general security:
Tesco Bank’s response was also inadequate:
Following the attack, Tesco Bank put a comprehensive redress programme in place and co-operated fully with the investigation. As a result, the Financial Conduct Authority reduced the fine by thirty per cent.
The breach illustrates the need not just to have robust processes to respond to cyber-attacks but to test them to ensure they work in practice.
In Ultramares Corporation v. Touche, Cardozo, CJ famously warned against the law creating "liability in an indeterminate amount for an indeterminate time to an indeterminate class". In the case of data breaches these factors may be massive rather than indeterminate, but the same principles apply.
Does the law draw the right balance between the interests of affected individuals and the risk to businesses of potentially ruinous liability? In the Morrisons case, the Court of Appeal suggested that such “Doomsday or Armageddon arguments” could be avoided through insurance. Finding suitable and affordable cover may be easier said than done.
| Law | Date | Who? | What? | How? |
| General Data Protection Regulation | May 2018 | Controllers of personal data. | Personal data breaches. | All personal data breaches must be recorded. Risky breaches must be notified to the ICO within 72 hours. High risk breaches must be notified to individuals. |
| Network and Information Systems Regulations 2018 | May 2018 | Operators of essential services. Digital service providers. |
Incidents having significant impact on services. | Notification to the relevant competent authority without undue delay and within 72 hours. |
| Payment Services Regulations 2017 | January 2017 | Payment service providers. | Major operational or security incident. | The FCA must be notified within 4 hours. User must be notified without undue delay if there is an impact on their financial interests |
| eIDAS Regulation | July 2016 | Trust service providers. | Breach of security or loss of integrity. | Significant breaches must be notified to the ICO within 24 hours. User must be notified if the breach will adversely affect them. |
| FCA Principles for Business | April 2013** | Financial services firms. | Various. | A firm must notify the FCA of anything it would reasonably expect notice of. |
| Privacy & Electronic Comms. etc. Regulations 2003 | May 2011 | Personal data breach. | Personal data breach. | The ICO must be notified within 24 hours. |
* This is not a complete list. Other sector specific obligations arise, for example obligations on telecoms operators to notify Ofcom of security breaches under section 105B of the Communications Act.
** These replace the earlier, and very similar, FSA Principles for Business.