If the GDPR fines don’t get you, the personal claims might

With the deadline for mis-sold PPI claims coming to an end, GDPR could become the new cash cow for no-win, no-fee law firms and spur a rise of class action lawsuits.

European Union [EU] flag and binary code

“Have you been a victim of a cyberattack? Has a company lost your personal data due to negligence? Then call now for a free consultation about our no-win, no-fee GDPR claims.”

Though it might seem far-fetched, the introduction of the EU’s General Data Protection Regulation (GDPR) has given a new avenue to ‘ambulance-chasing’ claimant law firms looking to make money from data breaches. 

With the end of Payment Protection Insurance (PPI) claims imminent, provisions in the GDPR around compensation, combined with the ICO handing out large fines to the likes of BA and Marriott, could create a new wave of ‘no win, no fee’ compensation claims and class-actions filed against non-compliant companies.

PPI Claims are coming to an end, claims firms need new revenue streams

PPI is a type of income protection that covers monthly debt repayments if you're unable to meet payments for reasons such as ill health. While useful in some cases, banks were found to have mis-sold PPI alongside loans, credit cards, and mortgages. And once the Financial Services Authority (FSA) ruled that the banks were at fault and should provide refunds, PPI claims have provided a cash cow to claimant law firms. Some 34 million UK people in the UK are believed to have been mis-sold PPI, and more than £40 billion ($53 billion) has been paid out since 2011.

However, the deadline to make a claim against mis-sold PPI is approaching fast. After the August 29 2019 deadline imposed by the FSA, companies whose operations centered entirely around helping people make claims against banks will be forced to adapt or go out of business. And GDPR could offer a new revenue stream.

Article 82 of the GDPR legislation gives individuals the right to compensation for “material and non-material damage as a result of infringement of this Regulation”, while Article 80 gives consumer groups (such as the Citizens Advice Bureau or Which?) special permission to act as representatives for individuals who have been the subject of a breach of the GDPR by businesses.

Various studies still suggest GDPR compliance is far from ubiquitous, exposing businesses to significant risk if lawyers do become litigious. A report from Macro4 suggests a third of UK businesses could still be non-compliant, while a Freedom of Information request by Redscan found that less than a quarter of breaches disclosed in the 12 months leading up to GDPR  would have been non-compliant with the legislation. 

Bryony Hurst, partner in the Dispute Resolution Group at law firm Bird & Bird, says that to date there has been very little in the way of class action – known as group litigation in the UK – in the data protection field, but is predicting an increase in the future.

“Consumer customer awareness just simply wasn't there pre-GDPR, and I don't think it was something that claims firms were particularly focused on; there were easier channels to pursue if you wanted to put together mass claims for relatively low-level damages and get a good result,” Hurst explains.

“I think just the very fact that everyone was talking about GDPR for the last few years has heightened consumer, claim firm, and litigation funder awareness. And as a result, it is now something that is being focused on in the arena of group litigation, and this is definitely something that I predict to be on the rise going forward.”

While she is yet to be involved in any group litigation, Hurst says she has already seen a tenfold rise in the number of personal claims relating to data breaches, often seeing multiples claims relating to the same data breaches from the same set of claimant law firms.

“This is, from my perspective, potentially the start of rumblings of a class action; if they send 10 letters this month and they do that the next six months and they've suddenly got 600 claimants, it does start to work out maths-wise for a funder to fund that and then have it turned into a class action,” she says.

ICO decisions against BA & Marriott may encourage a wave of claims

There are already early signs of class actions suits becoming more common in the UK.

SGP Law is currently putting together a group litigation action against BA for its 2018 breach involving over 300,000 customers, while Hayes Connor Solicitors has launched similar action against Marriott in the wake of the 2018 of its Starwood subsidiary that involved up to 7 million UK victims. Hayes Connor is also running a claim against TicketMaster over a potential data breach that occurred in 2018.

Both BA and Marriott were recently given large fines by the UK data protection regulator, the ICO, for GDPR failures relating to their breaches (the ICO hasn’t released any public decisions relating to Ticketmaster). While Hurst says it is too early to tell if the large fines the ICO has levied against the two companies will increase the likelihood of success for the litigations against them, she predicts the fines will have come as good news for certain law firms.

“There's been a time delay to the ICO getting up and running with GDPR; it's only very recently we've started to seen enforcement notices and penalty notices being issued,” says Hurst. “The ICO has traditionally been seen as more of a light touch regulator than some data protection authorities around Europe so, [the two ICO fines] definitely is a bit of a shock to the system for UK-based corporations who are regulated by the ICO.”

“I'd expect claimant lawyers to get very excited about it and really see a boost to their chances in persuading claimants to join the class action. I think it will massively encourage any potential claimants and any potential claimant law firm to pursuing their own class action claims.”

Hurst says that groups of individuals that brought claims against companies under the previous Data Protection Act saw payouts of £10,000-12,000 at the highest ends of the scale. While even a small percentage of that could be massively damaging to the likes of BA and Marriott if hundreds of thousands of people make claims against them, if the current group litigations see awards reach the tens of thousands of pounds, it could start a chain reaction of class actions.

“It has to be a worthwhile investment for them [ the claimant firms]. If we see anything significantly greater than that [£10,000-12,000 figure] – and then you're looking at the BA breach where you've got hundreds of thousands of people affected – you can see how it's totally worth the time for the litigation funders to get involved. I can't see really a barrier at the moment for that market to grow hugely.”

Preparing for class actions: keep open channels between security & legal, have insurance

Marriott recently said in an earnings call that it is putting over £100 million aside in case it fails in its efforts to dispute the ICO’s fine. However, Hurst admits class action suits are harder to account and prepare for ahead of time, and there is little companies can do to protect against them.

“If you get an ICO finding that is so critical that your lawyers say you don't have a leg to stand on then I think what companies will be looking to do – and this is always possible with group litigation – is to approach this kind of thing tactically and seek early settlement,” she says.

“I suspect that defendants will be weighing that up from a strategic perspective and thinking about whether it is worth a public fight with the potential for a very damning judgment against them from the court and all the costs associated with defending that versus actually making an offer now. And I'm sure that that's also what a lot of the claimant law firms are taking a punt on.”

Beyond doubling down on ensuring your current GDPR compliance efforts are as watertight as possible, Hurst recommends that companies ensure that security and legal teams work together ‘holistically’ to fix any potential issues as quickly as possible: “Don't consider this just an IT problem or just a legal problem. Make sure that the left hand and the right hands both know what's going on; yes, shut down the potential vulnerability as quickly as possible from a technical perspective, but also make sure that legal are fully briefed so that they can do the analysis on the risk and start putting in place those organisational things that can help to limit liability in the first place.”

She also recommends not only having cyber-insurance but double checking that the policy covers all eventualities and you are covered in the event of individual and/or group claims.

Spanish food giant Mondelez is currently involved in a dispute with Zurich; the insurance firm is refusing to pay out on a $100 million claim over the NotPetya attack suffered by Mondelez, claiming that Russia’s involvement with the attack constitutes an ‘act of war’ and so is not covered by the terms of the cyber-insurance policy.

Copyright © 2019 IDG Communications, Inc.

8 pitfalls that undermine security program success