If an organisation falls victim to a cyber-attack where the cybercriminal manages to impact information that the organisation holds on third parties, can it be sued by those third parties?
For example, imagine a Cloud service provider that suffers a ransomware attack that encrypts, exfiltrates and doxes its customers data. Can the organisation be sued by its customers or employees for failing to keep their data safe and secure?
If the organisation truly is a victim and the impacted information is private or confidential, there’s little risk of a successful claim being brought against it under the tort of misuse of private information (“MPI”), or for breach of confidence. In the case of Warren v. DSG (2021), the High Court struck out claims of these nature against a retailer by its customers. DSG fell victim to a cyber-attack that impacted its customers’ personal data processed by its point-of-sale terminals. The reason for the strike out was these causes of action require the defendant to have misused the information - that is a positive act of misuse by it - which didn’t happen. DSG was a victim of the cyber-attack, not an entity that misused information. The misuse was by the cybercriminal.
Smith & Others v. TalkTalk Telecom Group plc (2022) confirmed Warren, in a case also about a cyber-attack. The claimants sued TalkTalk under MPI, for failing to keep their personal data safe from the attacker, but their claims were also struck out, for the same reasons: it was the attacker that had mis-used their data, not the defendant.
Another case about misuse of personal data is Underwood v. Bounty UK Ltd and Another (2022). While it concerned the acquisition of medical data on a hospital ward by a marketing company, Bounty, that was permitted access by the hospital Trust, rather than a cyber-attack, it confirms the point that the idea of misuse needs a positive act: while the Trust allowed Bounty onto ward it did not positively engage in Bounty’s acquisition of the medical data.
What we take from these cases is that being insecure and suffering cyber-attacks doesn’t amount to acts of misuse for the purposes of MPI or breach of confidence claims. Instead, the organisation is a victim of the attacker’s misuse of the data it holds. This idea of the organisation-as-a-victim in security breach cases was also confirmed in WM Morrison Supermarkets plc v. Various Claimants (2020).
In these situations the organisation won’t have to worry too much about a claim in negligence brought by its customers either if their information constitutes personal data within the meaning of the GDPR. This is because the law doesn’t allow negligence cases that cover the same ground as a statutory duty that grants compensation remedies to those who are protected by the duty (which the GDPR grants for the security of personal data). This was established in Smeaton v. Equifax (2013) and confirmed in Warren.
So, considering what I’ve said, an organisation that falls victim to a cyber-attack that impacts third party information that it holds doesn’t have any litigation risks to worry about, right?
Wrong. If the information are personal data, the third parties could sue the organisation for compensation under the GDPR, for failing to keep their data safe and secure. This is because of the statutory duty for the security of personal data. The duty means that the organisation must take appropriate technical and organisation measures (“ATOM”) to protect personal data from cyber-attacks. If the ATOMs aren’t sufficient, the organisation will be liable for the resulting damage suffered by the impacted persons.
Interestingly, the idea of damage for the purpose of the GDPR is different to the idea of damage in negligence cases (which, we’ve established, can’t be pursued where there is a statutory duty in place). Under the GDPR, damage includes distress that falls short of a psychiatric condition, but under the law of negligence compensation cannot be awarded if the distress doesn’t reach that level. This means that the GDPR has a lower threshold to compensation than the law of negligence. However, for compensation to be awarded under the GDPR the distress still must be more than de minimis - i.e., more than trivial (see Bounty, again, for insights). Compensation can be sought under the GDPR for psychiatric damage and financial loss, of course.
What about the position of non-personal data that isn’t subject to the GDPR’s statutory duty? Such data might be a confidential financial data or intellectual property information belonging to a company that is held by the organisation that is the victim of the cyber-attack. The rule in Smeaton against negligence claims where there is a statutory duty in place will not apply, because there isn’t a statutory duty for the security of non-personal data equivalent to the GDPR (i.e., a statute that grants rights of compensation to those protected by the duty). Therefore, a negligence claim seeking compensation for a failure to secure the confidential information against a cyber-attack is feasible, provided that the rules in Caparo v Dickman are satisfied.
So how large can a compensation claim be? For basic, low level distress claims under the GDPR, claimants might reasonably expect only a few hundred pounds damages, but the more distress they claim and the more credible their claim of distress is, the higher their compensation will be. If they suffer financial loss that can be attributed to the organisation’s failure of ATOMs to guard against the cyber-attack, their claim might be considerable. However, in most cases GDPR claims aren’t usually financial troublesome for organisations.
The real problems arise if a “class action” can be formed. There are two kinds of class action, Group Litigation and Representative Actions. Group Litigation is “opt-in”, so that people must elect to join the class, while Representative Actions are effectively “opt-out” and can be brought without the hassle of having to build the class. Due to the Lloyd v. Google (2021) case, which has been followed in other cases such as Prismall v. Google (2023), Representative Actions are highly unlikely to succeed in GDPR cases, leaving Group Litigation as the only viable route.
The risks of Group Litigation are significant. The WM Morrison case had a group of over 5,000 claimants. The British Airways group was over 23,000. If 5,000 people were awarded moderate damages for distress after a cyber-attack of £500 per person, that would be worth £2.5M across the group, or £11.5M for the BA group. In Ali v. Chief Constable of Bedfordshire (2023), £3,000 was awarded for distress following the unlawful disclosure of data. In Driver v. Crown Prosecution Service (2022) £250 was awarded for very modest distress.
Therefore, there’s a big incentive for claimant law firms to build very large groups, which is why some of them launch marketing claims after big security breaches, to sign-up claimants when passions are high. Many law firms compete to gain clients after these cases, so there can be many of them involved in Group Litigation.
Group Litigation begins with a Group Litigation Order (GLO). It establishes the group, a lead claimant law firm and a legal steering committee consisting of representatives of the various claimant law firms involved and it sets directions for the advertising of the GLO (to call for others to join the litigation) and the management of the litigation. These cases can soon become unwieldy and massively expensive for all sides involved, so there are devices that the court can use to streamline things. This includes ordering split trials, so that liability is dealt with first and separate from the compensation trial, or a “Lead Claim” model, where a few cases are tried as test cases (as was adopted in Beck and Others v. The Police Federation of England and Wales (2023). These devices for streamlining Group Litigation have pros and cons for both sides. Depending on how you look at things, they may amplify or reduce legal risks.
The above picture represents the laws of England and Wales. You can form your own view of the extent of the litigation risks for organisations that fall victim to cyber-attacks, in terms of the risks of compensation claims brought by the people whose data they are holding. Whatever view you reach, I can promise you that the picture is much worse in the EU, insofar as the GDPR is concerned. See the CJEU judgment in Austria Post (2023). I discuss review that soon.