As the amount of personal data stored and transferred electronically increases at an exponential rate, data breach claims are going to form an ever-increasing part of the media cases we insure. In this article, I take a closer look at this trend.
How do after-the-event (ATE) insurance underwriters approach these claims? In a word, cautiously.
Experienced, expert litigators
There can be a tendency with an area of law that suddenly seems to open up an avenue for high-volume litigation, that everyone becomes an overnight expert and has access to thousands of potential claimants needing insurance.
Step one is thus to look carefully at the track record of the solicitors who will be handling these cases and the counsel they instruct. They need to demonstrate experience and expertise both in terms of the law and in the management of high-volume litigation where the firm might be representing hundreds if not thousands of clients, each with slightly different claims.
What actually happened? I am no data expert but, as an underwriter, I need to know, in layman’s terms, what data was mishandled, how it was mishandled, what happened to the data (permanently lost, passed to unknown third parties and/or simply unavailable for a period of time?).
Expert evidence will often be useful, if not vital, to untangle the details of the relevant data breach. An Information Commissioner’s Office report and any internal reports will always be helpful when available.
Loss and damage
This is often the most difficult and contentious issue in any data breach claim and the law is still developing.
Article 82 of the 2016 EU General Data Protection Regulation provides: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” This provision is now incorporated in the same terms in the UK GDPR.
Section 168 of the Data Protection Act 2018 (DPA) confirms that “‘non-material damage’ includes distress”.
Section 169 continues: “A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the UK GDPR, is entitled to compensation for that damage from the controller or the processor…”
Sub-section 5 provides that “‘damage’ includes financial loss and damage not involving financial loss, such as distress”.
Non-material damage has been the cause of a great deal of judicial debate over a relatively short time and is usually the single most challenging aspect of any data breach claim presented to us for insurance.
The courts have held that there is a threshold of seriousness that has to be reached in order to overcome the de minimis principle in non-material damage cases (see Johnson v Eastlight Community Homes Limited  EWHC 3069 (QB), Cleary v Marston (Holdings) Ltd  EWHC 3809 (QB) and, in the context of representative proceedings under CPR part 19, Prismall v Google UK Ltd  EWHC 1169 (KB).
In practice, in non-material damage cases, I am looking for evidence that the claimant has suffered genuine, material and significant distress caused by the data breach. That has to be tested against the nature and extent of the data breach or, in simpler terms, the nature of the information that was lost, taken and/or mishandled, and for how long.
In addition, some common sense and one’s experience of life helps and all of this has to be judged in the context of potential claimants who are expected to be of reasonable fortitude (unless, in the case of individuals, particularly vulnerable).
To take a hypothetical but representative set of facts, a group action might include within the group individuals who lost some or all of the following personal information:
- i) Full name & address;
ii) Date of birth;
iii) Mobile and/or landline phone numbers;
iv) Driving licence number;
v) Name of bank;
vi) Relevant branch;
vii) Part of credit or debit card number;
viii) Full credit or debit card number;
ix) Part of online banking password; and
x) Full online banking password.
Common sense and one’s own experience would suggest that, if all 10 of these items of data had been lost and/or transferred, a person of reasonable fortitude would be distressed and significantly inconvenienced.
There would be the inevitable worry about identity theft and theft from the claimant’s bank account. The claimant would have to spend a significant amount of time changing passwords and checking accounts.
If the individual was vulnerable, perhaps elderly, the distress would be greater. However, at the opposite end of the scale, if the breach was limited to items i), ii) and iii), would there be any basis for a claim? On the other hand, if the data consisted of items i) to iii) but all of the claimant group were police officers, would their distress be greater?
Could they be regarded as vulnerable because if their home addresses and phone numbers passed into the wrong hands, they and their families could be at risk? In those circumstances, one would want to know more about what had, in fact, happened to the data to weigh up how genuine any fear or concerns were.
It follows that, to assist the underwriting process for each claimant (whether or not forming part of a group), the underwriter needs the degree of granular detail discussed above along with a proper assessment of damages for the individual claimants.
Seeing a ‘tariff’ would be very helpful and it is difficult to point to any particular authorities that might help – a data breach Kemp & Kemp is just waiting to be published!
Misuse of private information (MOPI) and recoverable premiums
It is now well established that a defendant must actively misuse private information, in other words, do something with the private information (see Warren v DSG Retail Ltd  EWHC 2168 (QB) as applied in Smith v Talktalk Telecom Group PLC  1311 (QB). The tort is, in a sense, a sin of commission and not omission.
Claimants will often seek to include a MOPI claim alongside a data breach claim. This may be motivated by the fact that ATE premiums for MOPI claims are recoverable. Underwriters will want to see clear evidence of the required positive act of the defendant that is said to have amounted to the alleged misuse of private information before offering to insure that aspect of the case.
Data breach litigation is, in a way, still in its infancy. Nonetheless, data breaches happen and will continue to happen more frequently as more and more of our data is processed, often without people realising.
When things go wrong, those whose data has been mishandled suffer financial loss, are often put to significant expense and are inconvenienced and distressed. They have a clear right to be compensated and are perfectly entitled to be compensated.
These might be relatively low-value individual claims that will be heard in the appropriate track (including the new intermediate track) in the county court.
In other cases, there will be many hundreds of claimants with good claims against the same defendant arising out of the same data breach and those claims ought to be heard in the High Court, where group litigation can be better managed.
As this area of law develops, litigants will be helped by decisions, in particular on quantum, that will guide them and those advising and supporting them.