Seaton Gordon, Legal Director, at law firm Clyde & Co, London says cyber is threatening to become yet another assault on the insurance industry’s reputation.
Group claims (and potentially class actions) flowing from data breaches could become the new PPI in 2021.
The legal barriers to individuals bringing claims for loss of their personal data have been reducing in recent times. The timing coincides with growing consumer awareness and distrust about how their data is monetised and used, and at a time when newsworthy data breaches are becoming more frequent in occurrence.
Claims management companies and claimant law firms have been circling the potentially lucrative market in data privacy group action claims for some time. So far, however, there have been limited opportunities for them. But the ICO’s GDPR fines levied against British Airways, Marriott and Ticketmaster changes the situation, provides the claimant market with an opportunity to seek to leverage an adverse regulatory decision to bring claims, as they successfully did with PPI misselling cases.
The final piece of the puzzle could be a positive outcome for Richard Lloyd in the Lloyd vs Google data protection case that goes before the Supreme Court in early 2021. If Mr Lloyd wins, it will confirm that individuals are, in principle, entitled to compensation if a controller has lost control of their personal data, potentially taking the law closer to strict liability for data protection breaches. Moreover, it could potentially open the floodgates to ‘class actions’ with a surge of US-style opt-out ‘representative’ actions likely to follow.
The threat of a class action claim brought by experienced claimant lawyers seeking to leverage a regulatory sanction will raise the stakes for any organisation that suffers a large and newsworthy personal data breach. For now, these organisations typically face reputational damage linked to negative headlines, potential loss of consumer confidence and, in all likelihood, a data protection regulatory fine. While these outcomes are unfortunate, they are not ruinous.
However, a surge of low value compensation claims from hundreds of thousands or even millions of individuals could cripple an organisation. The cost and burden of dealing with such a scenario represents a significant, and long-tail, risk to organisations’ financial viability and their reputation. With this threat on the horizon, data breach based group claims (and potentially class actions) are a risk that should be high on the risk radar next year.