Mitigating a Data Breach: Insider Threats - Episode 3 - what regulatory action and civil claims might you face?


Welcome to the third episode of our Mitigating a Data Breach: Insider Threats podcast series. In this series of 3 podcasts, members of the Travers Smith Cybersecurity team, Technology & Commercial Transactions Partner, James Longster, Employment Partner, Adam Wyman and Dispute Resolution Senior Counsel, Rachel Wilson, take a look at what happens in the aftermath of a data breach. They focus on cybersecurity threats originating from within an organisation or its supply chain and discuss how to mitigate their impact.

In this final episode of the series, James and Rachel conclude by discussing potential regulatory action and the types of civil claims your business might face in the event of a data breach. 

"Mitigating a Data Breach: Insider Threats" is a short series hosted by From Travers Smith. A collection of collects episodes and audio versions of our briefings across a broad range of topics, from asset management to technology via CSR and ESG.

Listen on Apple Podcasts


Disclaimer: Transcripts are autogenerated and so may not be 100% accurate. For corrections please contact us.

00:00:04:07 - 00:00:27:14
James Longster
Hi, I'm James Longster, a partner in Travers Smith's commercial IP and technology department and part of Travers Smith's cybersecurity group. In the previous episode of our podcast series Mitigating a Data Breach, Insider Threats, we take a look at the regulatory backdrop, including notification requirements in respect of a data breach. In this third and final episode, we discuss potential regulatory action and civil claims that you might face.

00:00:28:03 - 00:00:52:02
James Longster
As well as touching briefly on cyber insurance, I'm joined by Rachel Wilson, who is a senior counsel in our Dispute Resolution Department. Thanks for joining, Rachel. So let's say you've reported a cyber incident to the regulator. What are the chances of further action being taken? Well, the ICO takes a risk based approach to regulatory action and follows its regulatory action policy.

00:00:52:08 - 00:01:18:01
James Longster
And according to the ICO stats and up to the end of Q2 2022, it pursued an investigation in 37% of reported cyber incidents, took informal action in 19% of cases, and no further action in 41% of cases. And in terms of what the ICO can do, it has various tools in its armory, which I'll briefly run through. So firstly, Information Notes is, as the name suggests, requiring information.

00:01:18:04 - 00:01:40:14
James Longster
And this must be given within a specified time frame to assist the ICO's investigations. And then you have assessment notices. These allow the ICO to consider whether you are compliant. In extreme cases, the notice can require that the ECJ be given access to premises and specified documentation and equipment, and with a warrant the ICO can conduct a dawn raid on your premises.

00:01:41:07 - 00:02:04:03
James Longster
The most high profile example of which was the dawn raid in relation to the Cambridge Analytica investigation. Next, we have enforcement notices which the ICO can issue where a data controller or processor has breached one or more of the data protection principles. And their purpose is to mandate action or prohibit further processing in order to bring about compliance, remedy a breach or both.

00:02:04:13 - 00:02:32:10
James Longster
And failure to comply may lead to further action, including possible penalty notices which the ICO issues or the most serious breaches, such as those involving intentional or negligent acts or repeated breaches. And the ICO will be more likely to impose a penalty where a large number of individuals have been impacted, where there's a degree of damage, which can, of course include embarrassment and distress, or where special category data has been involved.

00:02:33:00 - 00:02:59:01
James Longster
As I'm sure listeners will know, the ICO can apply large fines for serious breaches of the UK GDPR, so up to £17.5 million or 4% of the total annual worldwide turnover, whichever is higher before issuing with a penalty. The ECI will issue what is called a notice of intent, setting out its rationale and the proposed amount. And you will be given some time to make written representations which the ICO will consider.

00:02:59:07 - 00:03:23:01
James Longster
Now there's a very clear trend for the amount of the ultimate fine to be significantly less than the amount set out in the notice of intent. Say, for example, the data breach fines involving British Airways, originally £189 million, which fell to 20 million. Marriott, originally £99 million, which fell to 18.4 million. And Ticketmaster originally 1.5 million, which fell to 1.2.

00:03:23:08 - 00:03:50:09
James Longster
However, you obviously can't guarantee that this will always be the case. The regulatory action policy also sets out aggravating and mitigating factors that will be taken into account in arriving at a fine. Unsurprisingly, action you take to limit the damage to individual's cooperation in the investigation and quick notification are some of the mitigating factors. Now, in addition to penalty and enforcement notices, the ICO can also issue reprimands.

00:03:50:12 - 00:04:14:10
James Longster
And in June of last year, the ICAO announced they would be resorting more frequently to issuing reprimands, rather than fines, particularly in relation to public sector bodies. Now a reprimand is a written letter stating that the ICO believes an organization has not complied with the UK. GDPR typically issued following an ICAO investigation where an infringement is not serious enough to warrant a penalty or enforcement notice.

00:04:15:02 - 00:04:43:15
James Longster
It's also worth noting that from December 2022, the ICAO is making all reprimands public unless there is a good reason not to. So while a reprimand is not compelling, organizations to do or pay anything, it has a naming and shaming deterrent effect. Indeed, this seems part of a more general policy shift by the ICAO to publishing information about issues reported to it, including the identity of the organization and review along with the outcome of the ICO's review.

00:04:44:05 - 00:05:04:06
James Longster
Today, I've talked about the ICAO response, but of course, as we discussed in the previous episode, you may face regulatory action by more than one regulator and in more than one jurisdiction, which, to reiterate our message from our previous episode, is exactly why planning for a data breach is so important. So that's a bit of a snapshot of the regulatory perspective.

00:05:04:06 - 00:05:08:15
James Longster
But Rachel, what about private actions bought by data subjects?

00:05:10:02 - 00:05:31:04
Rachel Wilson
Well, as well as the administrative fines or other penalties which the ICO may impose, individuals may also bring claims against those data processes in the courts. So under Article 82 of the UK, GDPR a process that can be held liable to an individual for any damage caused by the processing of data, including for non-material damage such as distress.

00:05:32:02 - 00:05:56:08
Rachel Wilson
A court will make an order for compensation of the affected individuals by way of damages and data. Subjects can also ask courts to make compliance orders under Article 79. As to how the UK courts will deal with privacy actions brought by data subjects, what we will all watching and waiting to find out last year was how the class action landscape in the UK might change as a result of the Supreme Court's decision in Lloyd and Google.

00:05:57:02 - 00:06:27:06
Rachel Wilson
There was a lot of speculation at the time about whether it would open the floodgates for opt out class actions for data claims in the UK. In reality, it hasn't, for the reasons I'll explain later. Google was a claim which was brought under the old 1998 Data Protection Act, so it was pre GDPR. The claim was brought on behalf of more than 4 million iPhone users who'd been affected by a safari workaround, which had effectively enabled Google to harvest browser data from the iPhone users without their consent.

00:06:28:02 - 00:06:52:15
Rachel Wilson
Mr. Lloyd, who was the class representative source uniform amount on behalf of each iPhone user without seeking to prove damage for each individual, the amount sought was £750 per user, giving a total claim value in the region of £3 billion. Compensation was sought on the basis that each and every user had lost control of their data and that they should receive damages as a result.

00:06:54:02 - 00:07:20:13
Rachel Wilson
So the Supreme Court had to consider two questions. Firstly, it has to address the question of whether compensation for loss of control can be awarded under the old 1998 Act without evidence of damage or distress. The court held that the claim found it solely on loss of control was untenable and concluded that the mere fact of a non-trivial breach amounting to a loss of control, is not enough to warrant an award of compensation.

00:07:21:05 - 00:07:49:08
Rachel Wilson
Instead, it's necessary to prove that material damage or distress has been suffered as a result of the breach. Secondly, the court had to think about whether a representative action was an appropriate vehicle for this kind of claim. And the court concluded that the claim was not one where the class had suffered uniform damage or distress, and this accordingly, compensatory damages could only be assessed by way of an individualized, factual inquiry into the particular circumstances of each claimant.

00:07:50:15 - 00:08:12:08
Rachel Wilson
The Court speculated that an effective case management model for this kind of claim would effectively be a two stage process whereby a representative action would be brought first on an opt out basis to determine common issues of liability. And if the claimants were successful at that stage and the court confirmed that class members were entitled to seek compensation.

00:08:12:12 - 00:08:27:02
Rachel Wilson
Those individuals could then pursue follow on claims for damages on an individualized basis. So unsurprisingly, given the economics of bringing that type of claim, claimants haven't really been rushing to the courts with reformulated, bifurcated claims.

00:08:28:09 - 00:08:47:12
James Longster
Yeah, the Supreme Court decision effectively acted as a bit of a bucket of cold water to quell the excitement around class actions for data claims. And it's not surprising that a number of representative actions for privacy claims have been dropped in the wake of Lloyd. Now, we've also seen a steady stream of cases through the High Court in the last two years following Warren and DSG Retail.

00:08:48:00 - 00:09:13:11
James Longster
To suggest that courts will also knock back ambulance chasing data breach claims. So low value claims for trivial data breach incidents are often based on misuse of private information or breach of confidence and claiming for distress. Now these decisions make de minimis no win, no fee claims less attractive to claimant law firms and should in time hopefully reduce the number of vexatious claims by which some organizations have been plagued.

00:09:14:05 - 00:09:32:07
James Longster
And in Europe, there seems to be a similar approach to non-material damage. A recent opinion of Attorney General of the CGT also concluded that mere upset is not sufficient to trigger compensation under Article 82 of the EU GDPR. Now finally, to round off this topic, we should just mention insurance is.

00:09:32:15 - 00:09:56:13
Rachel Wilson
More of a postscript really. Cyber insurance covers the losses relating to damage to or loss of information from its systems and networks. It's a requirement of all cyber policies that any claims against the insurer that are covered under the policy are notified to the insurer within a specified period. You'll need to build this into your response plan as well as the need to make no admissions which might invalidate your cover.

00:09:57:13 - 00:10:32:07
Rachel Wilson
These requirements are almost always conditions precedent to the insurers liability, so cover can be refused if the claim is not notified as required. Many policies provide an incident response package to provide companies with assistance with managing any incidents. This often will include it forensic consultants to contain the IT vulnerability that gave rise to the breach and to restore systems and recover data, public relation consultants and also lawyers to advise on obligations to notify data breaches to regulators and to data subjects.

00:10:32:07 - 00:10:45:02
Rachel Wilson
Some policies will require you to use the insurer as recommended lawyer if a data security incident arises whilst others permit you to use your only adviser instead. But this might require some prior planning and approval.

00:10:46:11 - 00:11:10:15
James Longster
Yeah, that's right. Although we frequently find that our client's interests and those of the insurers and insurers lawyers at times diverge. So the insurer's overriding objective is to limit their exposure under the claim. But a business will have to have a longer term view and be looking to protect other interests. So things like reputation. So it's therefore always helpful to have independent advisers on board.

00:11:10:15 - 00:11:27:00
James Longster
Well, that brings us to the end of this episode and the series. If you have any feedback, questions or comments on the series or you're looking for assistance in preparing for or handling a data breach and its fallout, we'd be very happy to hear from you. Please do get in touch using the contact details found on our website.

00:11:27:09 - 00:11:30:02
James Longster
Thanks for listening.


Since recording, Travers Smith’s Commercial, IP & Technology department has been renamed to Technology & Commercial Transactions.

Get in touch

Back To Top