By Jessica Tasman-Jones
This article is brought to you by Agenda, an FT Specialist publication that focuses on corporate boards
An increasing number of data breach claims are being pursued against companies whose business models use customer’s personal information, according to the sixth annual global disputes forecast from law firm Baker McKenzie.
The report – which surveyed 600 senior legal and risk leaders from large companies in the UK, USA, Singapore and Brazil – found that cybersecurity and data are the top legal risks facing companies for the second year running.
While the majority of data claims relate to breaches caused by cyber attacks, the report also highlighted "an expanding number of class action claims being pursued against business models that use data".
This includes claims against companies that have databases that can be licensed to others, third-party cookies that track ads and social media companies that use people’s data for alternative purposes, such as advertising.
Facebook-owner Meta faces a £2.3bn lawsuit, for example. The social media giant is accused of abusing its market dominance by including unfair terms for use of users’ personal data.
The case, which is proceeding through the UK’s Competition Appeal Tribunal, is brought on behalf of anyone in the UK who used Facebook between 11 February 2016 to 31 December 2019. That covers about 44 million users, but individuals can choose to opt-out of the class action.
The trend in class actions arising from data breaches has changed considerably over the last couple of years, says Simmons and Simmons disputes partner Robert Allen.
A number of high-profile data class actions were discontinued in the UK after the Supreme Court ruled in favour of Google in 2021, when it faced a claim alleging the tech giant had secretly tracked iPhone users between 2011 and 2012, says Allen.
The court ruled unanimously that the claimant, former Which? director Richard Lloyd, was unable to establish that any individual in the class-action case was entitled to damages due to financial loss or distress.
That decision effectively ruled out opt-out mechanisms, explains Allen. This style of action, seen more in the US, is where participants are automatically included in proceedings unless they formally back out. In the English system, under civil procedure rules, there is an opt-out option but it is more difficult to use.
Opt-out claims are available in competition cases, however, and Allen expects more data breach claims to appear before the Competition Appeals Tribunal as a result. Indeed, this is where the current case against Meta is being heard.
Boards should have a director with appropriate knowledge who has overall responsibility for cyber risk, says Paul Glass, partner and head of cybersecurity in the UK at Baker McKenzie. There is a lot of uncertainty in English law when it comes to data breaches and what level of damages are available to claimants, he says.
Judges have ruled that minimal levels of distress do not warrant a damages award for individual claimants, but it has not been properly tested at the level of class actions, says Glass.
This article is based on a story written for Agenda by Nick Muscavage