Data breaches, and plaintiff recruitment, becoming more high profile

Companies suffering data breaches have always faced a risk of litigation, but this risk has markedly increased in recent years.

Plaintiff law firms are becoming more active in this field, in part due to the significant increase in plaintiff-side mass claims funding and the ease of identifying and recruiting potential plaintiffs. It is becoming increasingly common for litigation proceedings to be issued earlier, and in parallel with regulatory proceedings.

In addition, plaintiff firms, particularly in Germany and Austria, often bring hundreds, or even thousands, of individual actions in parallel; thereby creating, in effect, an informal class action and an immense administrative burden on businesses and courts.

This trend is likely to be exacerbated in the US by the Securities and Exchange Commission’s (SEC) new cybersecurity disclosure rules, which require all US reporting companies to disclose material cybersecurity incidents within four business days of the company’s determination that they experienced such an incident. The new rules also require foreign private issuers to disclose material cyber incidents to the SEC if they are already required to:

• disclose the incident under the laws of their home jurisdiction;
• report it pursuant to stock exchange requirements; or
• disclose it to their shareholders.

As part of the disclosure, companies must describe material aspects of the nature, scope, and timing of the incident, as well as the material (or reasonably likely) impact on the company, including its financial condition and results of operations. Companies making such mandatory disclosures are likely to face an increase in scrutiny and litigation risk from investors and consumers.

Evolving case law and legislation

The UK Supreme Court decision in Lloyd v Google made opt-out UK General Data Protection Regulation (GDPR) mass claims much harder to bring in England & Wales and few opt-out claims in England & Wales have got off the ground since this judgment. However, case law in this area is still embryonic and several funders and plaintiffs are testing where the courts will set the boundaries and parameters.

The recent EU Court of Justice decision in Austrian Post was, in some senses, a blow to low-value claims in the EU, since it determined that the mere infringement of the EU’s GDPR does not in itself confer a right for compensation. However, the court declined to set an EU-wide minimum threshold for the seriousness of non-material damage required to bring a claim, leaving it open for national courts to decide.

In the US, a frequent threshold hurdle for data breach plaintiffs is satisfying the federal standing requirements, specifically that of ‘injury-in-fact’. Recently, US courts have applied the 2021 US Supreme Court’s holding in TransUnion v Ramirez—that the mere risk of future harm on its own cannot qualify as a concrete harm—in the data breach context to dismiss data breach claims that are insufficiently concrete. However, we are seeing a divergence among federal courts in the US. Some courts are distinguishing TransUnion on procedural grounds or finding sufficiently concrete harm, to allow data breach claims to proceed.

Although these recent UK, EU and US judgments have posed a challenge to data-related mass claims, a number of new laws have been passed that are in a potential claimant’s favour.

In the US, new state laws incentivise plaintiffs to bring claims by providing an avenue to obtain statutory damages for data breaches even in the absence of damages to the individual. For example, the California Consumer Privacy Act provides plaintiffs with statutory damages of up to US$750 per impacted individual where they can show that the breach was the result of a business’s failure to maintain reasonable security procedures and practices.

The new Representative Actions Directive (RAD) requires EU Member States to have a domestic procedural mechanism for collective redress and is expected to increase the number of data-related collective actions. Nevertheless, the need to evidence non-material damage may still be a major obstacle in some cases.

Rise in non-data breach litigation

While hacks, cyber attacks and ransomware often grab the headlines, that is far from where data litigation ends.

There has been a rise in litigation relating to cross-border data transfers, misuse of personal data, online safety and shortcomings in privacy policies. Data scraping is another area that litigants have focused on recently; from third parties scraping data from websites, to privacy and digital rights organisations filing complaints against companies for scraping images for facial recognition technology. In the US, recent class actions have been brought for the use of mass data scraping for the purpose of training artificial intelligence (AI) large language models.

As data-related laws and regulations (such as those concerning AI) develop, the scope for new grounds of legal challenges are likely to emerge.

Corporate victims go on the offensive

While plaintiffs in data litigation cases are often consumers or privacy campaigners, it is increasingly common to see businesses affected by breaches, unauthorised data scraping or hackers acting against malicious third-party actors.

There are a wide variety of protective and reactive steps available to businesses, depending on the nature of the incident. These include:

• limiting the accessibility to stolen data through take-down notices and injunctions;
• suing bad actors for breaching a website’s terms; and
• cooperating with law enforcement to recover data. Co-operation with US federal law enforcement in particular has proven beneficial to victims of data-related crimes, especially where US authorities have been able to share threat intelligence information and, in some cases, use their own powers to seize data and recover stolen funds.

Looking ahead

The potential risks arising from data-related litigation are complex and wide-ranging, and the legal and regulatory landscape is changing rapidly.

Litigation risk is often understandably low on an organisation’s worry list in the immediate aftermath of a data-related incident. However, there is often much that can be done in that time and the following weeks in order to mitigate litigation risk.

Responding to complex legal claims and regulatory inquiries in parallel:

• can impose a significant burden on the resources of a company’s internal functions, and not just legal teams; and
• requires careful management to ensure that the output of regulatory and litigation workstreams are aligned.

The difficulties in handling regulatory inquiries and litigation in parallel are not to be underestimated.

In our experience, businesses that turn their minds quickly to these issues, including taking offensive steps where helpful, are often the ones that have the best prospects of defending claims, or avoiding being sued altogether.

Back to top.