Take steps now to prepare for the data breaches storm – Gareme MacLeod

Scotland’s is considering the adoption of US-style ‘opt-out’ class actions, thereby increasing the threat claims pose to businesses, writes Graeme MacLeod

Graeme MacLeod is a partner at CMS

The recent announcement by the Information Commissioner’s Office (ICO) of its intention to impose record fines of £183m on British Airways and £99m on Marriott International highlights one of the potential consequences for business of a data breach.

There are other consequences. The ICO’s announcement has been followed by news that law firms are gearing up to pursue class actions for damages caused by those breaches. This is a growing trend in the UK.

Sign up to our Opinion newsletter

Sign up to our Opinion newsletter

Class action law suits, a long-established feature of US litigation, have been gaining traction in recent years, particularly following the introduction of Group Litigation Orders in England and Wales. In Scotland, a more radical US-style “opt-out” option for class actions is being considered. It would enable far larger numbers of claims to be included in class actions, meaning the financial fall-out for business from data breaches could be even greater.

There is a growing appetite for data breach class actions, which allow individual claimants to claim damages more easily through collective processes. Last year the UK saw its first successful class action arising from a mass data breach, in a claim against Morrisons Supermarkets. Meanwhile in April, a class action was launched against Ticketmaster following a 2018 data breach.

The case against Morrisons came after a member of its IT staff stole personal data, including salary and bank details, of nearly 100,000 colleagues. The employee, who was imprisoned for eight years, subsequently uploaded these details on to a file sharing site. The High Court and Court of Appeal both held that Morrisons was vicariously liable for the employee’s actions and ordered the supermarket to pay compensation to the 5,000 claimants. The case is subject to an appeal to the Supreme Court.

The Ticketmaster claim was launched after personal and financial data of around 40,000 UK customers was stolen through malicious malware on third party software. There are 650 claimants.

The Morrisons and Ticketmaster cases both involved the use of “opt-in” procedures available in the English courts, requiring individual claimants to proactively opt in to a claim if they wish to be part of it. This accounts for the relatively low number of claimants compared with the numbers of individuals actually affected by the breach in each case. Opt-in procedures clearly have limitations in terms of their ability to allow all affected consumers to get the benefit of any damages award that is made or settlement which is reached. Only those who actively participate get the benefit.

By contrast, the Scottish legislation – the Civil Litigation (Expenses and Group Proceedings)(Scotland) Act 2018 – makes provision for both opt-in and opt-out processes to be adopted by Scottish courts. The detailed rules are still to be produced but should a decision be made to proceed with opt-out actions, this will potentially increase the scope of class actions significantly.

An opt-out class action would automatically include all Scottish-based claimants in the designated class who had not actively opted out of proceedings and would also allow claimants from other jurisdictions to opt in. The scope of a data breach opt-out class action would therefore be exponentially wider than the data breach claims so far brought in the English courts, considerably amplifying the potential threat.

In an era where businesses are operating under a strict GDPR regime with sizeable regulatory fines, and where cyber security breaches are a virtual inevitability, class actions arising from data breaches are a growing risk and likely to get bigger in size and stature. The potential for Scotland to introduce an opt-out system for class actions will only heighten this threat.

Businesses must be aware of the full potential consequences of a data breach, take steps to minimise the chances of one occurring, and make plans to minimise the potential impact if one happens. They should seek to mitigate risks, including having adequate insurance cover in place for the potentially large exposures arising from class action claims.

Class action law suits have long been available to American claimants and are becoming more common in the UK. Should Scotland decide to implement the more radical opt-out process for mass claims, it will be more crucial than ever for businesses to invest so that they are suitably insulated from the pending storm.

Graeme MacLeod is a partner at CMS