A new trend of employers’ liability claims for data breaches

Personal data is often referred to as the currency of the digital age. As such it is not surprising that there has been an increasing awareness around personal data sets and data protection rights in addition to a heightened cyber risk.

We are seeing a growing trend of employers’ liability (EL) claims being brought against employers relating to alleged wrongful disclosure of an employee’s data. We are also coming across more firms which traditionally specialise in claimant personal injury work adding data breach claims as an area of practice, often on a ‘no win no fee’ basis.

Employers’ duties

Employers collect and retain personal data (including sensitive/special category data) on its employees for various legitimate purposes. Issues arise however when such data is disclosed (usually inadvertently). According to the UK General Data Protection Regulation (UK GDPR) “personal data”, is any data which can be used to identify a living person. It is therefore very wide in scope and as such, there are restrictions on when this data can be disclosed/processed.

Although claims for data breach are often of relatively low value, they can affect numerous individuals at a time and consequently, have led to large group actions.

When a data breach occurs, it is important that an employer takes steps to mitigate the incident (i.e. try and retrieve the data in question) if possible, and consider if the matter should to be reported to the Information Commissioner’s Office (ICO) which should be done within 72 hours, if required. There can be significant fines for failing to report a reportable incident to the ICO within the set timescale.

Many EL policies will provide indemnity in relation to third party claims for data breaches. It will be important however for an insurer faced with such a claim to check the scope of the policy, as well as any relevant exclusions. If the policy provides cover, the Pre-Action Protocol for Media and Communication Claims indicates a defendant should seek to provide a full response to a Letter of Claim within 14 days (or advise when they will be able to respond by), meaning insurers will need to review indemnity and investigate promptly.

Applicable law

Although the data protection legislation/regulations below contains similar principles, the applicable legislation will depend on when the alleged breach occurred:

  • Post 1 January 2021: UK GDPR & Data Protection Act 2018
  • 25 May 2018 – 31 December 2020: GDPR (EU2016/679) & Data Protection Act 2018
  • Pre 25 May 2018: Data Protection Act 1998

Claims for data breaches are typically brought alongside other claims in tort, for example breach of confidence, misuse of private information etc. However, the court will usually not award additional damages for these further pleaded claims.

Common (but non-exhaustive) defences to EL data protection claims include:

  • Occasionally there will be a factual dispute in circumstances where the employer may not have been the data controller or processor (i.e. it did not hold or disclose the data complained of). Usually the facts are straightforward, unless the claimant is simply mistaken as to who disclosed their data.
  • It is important to look at why the data was disclosed. A common defence will be that the data was disclosed with the claimant’s consent. This will often involve for example information concerning the employee, such as salary information to a third party seeking a reference (for rental accommodation for example), providing a reference to a prospective employer or a referral to an occupational health organisation, etc. There are five other lawful bases for processing personal data, as set out in Article 6 of the UK GDPR, for example where processing was necessary to comply with a legal obligation (e.g. an employer that is required to provide personal details of its employees to HMRC). In respect of processing special category data, in order to lawfully process the data the employer will have required one lawful basis under Article 6, and a further lawful basis under Article 9.
  • The claimant will need to show that any loss or damage was not trivial and fell above the di minimis threshold. In Rolfe & Ors v Veale Wasbrough Vizards LLP [07.09.21], the defendant was granted summary judgment where as a result of an e-mail address being typed incorrectly, information containing the claimants’ names, address and school fees was wrongly sent to a third party. The e-mail was promptly deleted by the incorrect recipient and the court held that there was no credible evidence that any distress or damage suffered by the claimants was over the di minimis threshold.
  • Helpfully for employers and their insurers, the Supreme Court held in WM Supermarkets v Various Claimants [2020], that where a rogue employee causes a data breach for their own purpose (in this case, seeking to disrupt the defendant’s business), the employer will not be vicariously liable for their actions. This will assist businesses, where the data breach is caused by a deliberate act caused by a disgruntled employee.
  • In Lloyd v Google [10.11.21], a group action was brought on behalf of four million Apple users for ‘loss of control’ of their data. The claim was dismissed by the Supreme Court, which held that ‘loss of control’ of personal data was not a basis for damages under the Data Protection Act 1998, which applied at the relevant time. The Supreme Court judgment is clear that the decision was made with consideration to the DPA 1998 only. It therefore remains unclear if claims for loss of control of personal data, could succeed under the updated data protection framework.

Comment

As claims for alleged data protection breaches become more prolific, we expect to see more claims brought in an EL context in the future. As such, it is more important than ever for liability insurers to carefully examine their exposures if they are to steer clear of a flood of unexpected claims. Employers should also take proactive steps to prepare for a notifiable data breach incident as in the long-term, this is likely to minimise both regulatory and reputational impact.

Related items:

Related content