Colin Hutton: Class action claims could make data breaches disastrous
While the SNP would have been pleased with its strong performance in May’s European elections, the party’s campaign got off to an unfortunate start when thousands of personalised letters (part of a mailshot to more than 400,000 Scottish voters) were sent to the wrong people. It was widely reported at the time how this error had caused some distress among mainly elderly recipients who were concerned their address was being targeted by fraudsters. The SNP, quite properly, reported itself to the Information Commissioner (ICO) and an investigation is now under way with the party facing potential regulatory fines.
The need to exercise care with mass communications – whether to the electorate or to another audience such as business’s customer base – is not, however, only about potential ICO fines. Under GDPR, individuals have the right to seek damages for data breaches including for distress. While each individual claim may not be a major issue, the potential for class actions, most certainly is – and if Scotland adopts the US-style opt-out class action procedure, this will have a significant impact.
The UK civil justice system does not presently support opt-out class action procedures (other than in the Competition Appeal Tribunal). Instead, group claims currently proceed on an opt-in basis, requiring active participation by each individual claimant. If the opt-out procedure is adopted in Scotland all potential claimants in the class would automatically be included without the need for individual participation. Under this model, a data breach that occurred in the context of an electoral mailshot that was being sent to all of Scotland’s 4.11 million registered voters could have severe consequences. Even if each individual claim was valued at just £10, the automatic inclusion of all claimants would create a significant damages liability.
The primary legislation is already in place to support the introduction of the new group procedure in Scotland, with provision for both opt-in and opt-out processes, however, it remains to be decided which types of claim will be identified as suitable for opt-out. If that approach is made available for data breach claims, the risk associated with significant data breaches will increase.
With an ever-growing public awareness of personal data rights there is clearly a growing appetite for streamlined group claims which will allow individuals to access remedies in data breach cases more easily.
Last year’s data breach class action against Wm Morrisons Supermarket plc, which is currently pending appeal, was the first successful case of its kind in the UK and in March, a further class action was launched against Ticketmaster for a 2018 data breach. However, these cases are being pursued under opt-in procedures which limits the claimant numbers. If Scotland adopts the more radical opt-out approach that would be a major game-changer for data breach mass claims.
These developments should serve as a stark early warning to politicians, businesses and all other organisations handling personal data. They should focus on taking steps to minimise the chances of breaches occurring, identify steps to manage and mitigate risks and ensure they have adequate contracts and insurance in place to cover the potential exposure arising from class action claims.
Opt-out class actions have long been available to American consumers. The prospect of Scottish courts adopting these procedures means political parties must tread more carefully in future when seeking to interact with the electorate. A serious data breach could prove a costly mistake overshadowing any positive outcomes in future elections, no matter how well they perform.
Colin Hutton is a partner at CMS. This article first appeared in The Herald.