But the court ruling is also a warning to liability underwriters

Google magnifying glass.jpg

Civil litigation pursuing compensation arising out of data breaches is considered to have a greater prevalence in the US than the rest of the world, and is often cited as one of the reasons why the uptake of cyber insurance has been slower on this side of the Atlantic, write DAC Beachcroft technology, media and information risk team partner Hans Allnutt and solicitor Helen Nuttall.

 In the US, LinkedIn recently settled a class action which sought damages arising out of the 2012 hack where approximately 6.5 million passwords were stolen by Russian cybercriminals. LinkedIn agreed to pay $1.25m to US plaintiffs who purchased a premium subscription and relied on LinkedIn’s statements about the security of the service.

In the UK, however, data protection, privacy and cyber issues are rarely litigated. However, claims for compensation appear to be on the rise in the UK courts, with several recent cases dealing with the thorny issue of whether compensation for moral damage alone ought to be available to victims of data breaches who cannot demonstrate a direct financial loss.

In March 2015, the Court of Appeal granted permission to Ms Vidal-Hall and two other claimants to sue Google for compensation for their distress caused by Google’s breach of the Data Protection Act 1998 (DPA). In doing so, the Court declared that the “misuse of private information” is a tort for the purposes of suing companies outside of the UK.

The case concerned Google’s alleged secret monitoring of Apple Safari users through the use of cookies that circumvented Safari’s privacy settings in 2011/2. The claimants state that this caused them distress and seek financial compensation. Quite what distress was caused is unknown (the claimants’ pleadings are confidential) but it might be that the disclosure of their browsing activities through the resulting targeted advertising to other users of their Safari browser caused them personal or professional embarrassment. Interestingly, the claimants also seek an account of profits that Google made in targeted advertising from its unlawful use of their personal data.

Financial compensation for distress caused by data breaches is governed by s.13 DPA. Before this case, claimants had to prove some direct financial loss before they could claim compensation for distress. The Court of Appeal’s decision endorses the first instance judge’s view that claimants should not be restricted in this way and should have a straight right to claim compensation for moral damage caused by a breach of the DPA.

Unsurprisingly, Google has appealed the decision to the Supreme Court but faces an uphill struggle against an increasing trend by lawmakers, judges and regulators to recognise the modern day threats to individual’s rights to privacy. It is telling that the UK data regulator (ICO) felt compelled to intervene in the proceedings and declare its position that “compensation must be available for moral damage caused by data breaches”.

Despite the appeal, this decision is likely to have a huge impact on privacy law in the UK, paving the way for increasing claims in damages for data protection breaches. The sums obtained will invariably be small, but the potential for large volumes of these small claims will be a worry to companies controlling significant volumes of personal data.

For insurers, this case is truly groundbreaking. Firstly, the potential increase in claims is likely to spur interest in cyber risk policies. However, the decision should also act as a caution to underwriters of existing liability classes which include data protection or invasion of privacy indemnities. Many insurance policies indemnify breaches of the DPA or an ‘invasion of privacy’ (not just cyber risk policies) and insurers of all classes may wish to review the cover provided.

This case is also interesting because it permits the claimants to sue a US company in the UK for breaching UK data protection law. This decision has ramifications for any foreign company processing (or controlling the processing of) personal data in the UK.