"Have you had a data breach in the last six years?"
Solicitors and Claims Management Companies advertising for personal injury claims are out of touch - these days, a privacy breach is the new 'claim…
Solicitors and Claims Management Companies advertising for personal injury claims are out of touch - these days, a privacy breach is the new 'claim for compensation'. A new common law duty was established in Naomi Campbell’s case against Mirror Group Newspapers in 2002 when the House of Lords ruled in 2004 that her privacy was breached, as a result of which the Tort of Misuse of Personal Information was born.
There always remained statutory duties under the Data Protection Act 1998 but it was believed compensation for distress required financial loss first (largely because of the wording in the Act). However, in 2015 this was clarified by the Court of Appeal as being inconsistent with the European Directive and Section 13(2) of DPA 1998 was disapplied. Cases in which damages for distress alone were awarded followed but they were few in number. Fast forward 3 years and we are now seeing a steep rise, with a growing trend for class actions.
The most recent hit the media in July when a legal firm in the North West confirmed that it had already secured 200 individuals affected by a data breach experienced by the major ticket retailer Ticketmaster, and the number of people signing up to join the action is growing daily. The breach giving rise to the action was only announced on 27 June and the recent (free) publicity will undoubtedly work in the law firm’s favour as the media look to shine a spotlight on yet another a giant corporate playing fast and loose with the average man on the street’s personal information. The fact that Ticketmaster seems to have fallen victim itself to a hacker may not help its reputation or ability to defend proceedings, either by the regulator or the individuals seeking compensation.
Indeed, in terms of reputation, Ticketmaster is having to manage the fact Monzo Bank reported the data breach as long ago as April following fraudulent activity being experienced by a number of its customers, 70% of which had used their cards on Ticketmaster between December 2017 and April 2018. Ticketmaster could not find any evidence of a breach and advised Monzo accordingly. This did not appease Monzo who took the step of issuing 6000 new cards to any customers who had used Ticketmaster. Positive publicity for Monzo now; the reverse for Ticketmaster.
It is not clear what caused Ticketmaster to uncover the breach and the ICO will undoubtedly be interested to learn what was different on 27 June compared with the notification by Monzo on 12 April. The fact the breach has seemingly occurred before 25 May when GDPR came in may be the one saving grace for Ticketmaster with the ICO in terms of fines. A maximum of £500,000 will hurt a lot less than the sanction of 2%, or even 4% of its global turnover. The civil claims will still sting though. The North West firm championing the consumer is on record as saying the average payout per person will be £5000. There are many arguments to suggest this figure may be over-egged, but equally there is authority which provides for figures of more than double. If a breach is linked to something more sinister - such as the Misuse of Information cases involving the phone hacking scandal and the individual awards take on an entirely new complexion, ranging from £72,500 to £260,250. Get the negotiation wrong and this could be a horror story. Even if all the 200 currently signed up achieve the £5000 quoted then £1 million compensation, plus legal costs will be spent. Given Monzo identified 6000 of its customers as having been involved, this increases the damages £30 million. Then add in all the other affected customers, with some reports quoting as many as 40,000 affected individuals in total, this could be an eye watering pay out. Even if Ticketmaster had the foresight to insure itself there is a real risk the indemnity will be below the damages award, still leaving the business exposed.
So what it the moral of this story? Preventing the breach in the first place is obviously the best solution – prevention is better than cure they say. There are many steps that businesses can take to minimise risk such as educating staff and ensuring the right policies and procedures are in place. Assessing the risks in the first place will aid the strategy implemented, particularly on the technical front. But even when the asset protection piece has been assessed, implemented and stress tested, businesses still face organised criminals who are out to steal valuable information.
Even the most sophisticated systems remain vulnerable to criminal organisations. It goes without saying that the better a business is at providing security, the less risk a it may face, and this will help when the ICO locks horns. But there is still a management piece once a breach is reported and ultimately found. The management could make a significant difference to the reputational damage or ultimate spend, both in compensation terms and any penalties imposed by the ICO. Engaging with the ICO or other regulatory bodies and data loss subjects is also important; mitigating the loss can have significant financial benefits even if the breach cannot be wholly defended. In this regard there is open to the Data Controller or Processor the defence of ‘not being in any way responsible’.
This will be a high test and need to be supported with evidence, which feeds back to the original processes to enable the audit trail to be produced. The skillsets required for the different phases of Cyber Risk Management will involve different experts but all of whom need to be capable of working together efficiently and often at speed, at the same time. Without such co-ordination the post incident response may be counter productive and actually make matters worse.
The use, storage and value of data has never been higher up the agenda and in the post-GDPR world, consumers are now much more likely to understand their rights. We can therefore expect the pursuit of compensation to rise, particularly where there are organisations geared up to help. Whatever the reason, it is clear that the threat to businesses’ bottom lines is very real and needs urgent review.
Mark Brenlund is a Partner in the Cyber Risk Team at Weightmans LLP: firstname.lastname@example.org