Dear All,
In 2012, I posed the following question to the list. "When will the first class-action data breach suits reach the UK from the US." In that thread, I was following the US practice of large class action lawsuits when patients had their medical information leak into the public domain.
At the time, Johnson V MDU set the standard for monetary awards from a data breach as it required that financial damage was required. This changed in 2015 with the Vidal Hall-Google settlement that allowed for damage or distress. From that change, we arrive at the Morrison's judgement. The Morrisons judgement, which could still be overturned on appeal (Morrisons have indicated they will appeal), suggests that the age of class action data breach suits has arrived in the UK.
If that is the case, then the ICO's regulatory powers will be almost moot as organisations face a greater threat from class action suits if the trends in the US hold up in the UK. Equifax who had the major breach this summer is facing 23 proposed class action suits and several more are in the works. https://www.usatoday.com/story/money/2017/09/11/equifax-hit-least-23-class-action-lawsuits-over-massive-cyberbreach/653909001/
I appreciate that the UK and US legal systems have different approaches to class action lawsuits so the comparison is limited.In the US, there is a readymade website to initiate a class action lawsuit following a data breach. https://www.classaction.com/data-breach/lawsuit/ :) However, the principle still exists, following Vidal-Hall v Google, that class action suits are now a possibility that will influence the data protection and information security landscape.
Even if Morrison succeeds in their appeal, it is doubtful that the issue of vicarious liability will go away entirely. What will be of interest is the extent to which it will exist and how much an organisation must pay for that liability. Perhaps this will become an insurance question, how much insurance is enough, but even then it does raise the spectre of class action suits beyond regulatory monetary penalties.
For a very good summary of the Morrisons case see Tim Pitt-Payne's post on the 11KBW Panopticon blog. https://panopticonblog.com/2017/12/06/data-breach-group-actions-criminal-insider/#more-3592
Best,
Lawrence
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|