Cyber Risk Legal Update - APRIL 2015
APRIL 2015 Cyber Risk legal update
Cyber Insurance, Privacy and Data Security Newsletter
Civil litigation for compensation arising out of data breaches has a greater prevalence in the US and is often cited as one of the reasons why cyber insurance take up has been slower in the rest of the world.
LinkedIn recently settled a class action for damages arising out of the 2012 hack in which approximately 6.5 million passwords were stolen by Russian cybercriminals. The firm agreed to pay $1.25m to US plaintiffs who purchased a premium subscription on the basis that they were influenced by LinkedIn's statements about its security measures. A website has been set-up for compensation claims.
In the UK however, data protection, privacy and cyber issues are rarely litigated. However, litigated claims for compensation appear to be on the rise, with a number of recent cases dealing with the thorny issue of whether compensation for moral damage ought to be available to victims of data breaches if they have not suffered a financial loss.
In our December edition, we reported on the first day of the Court of Appeal's hearing of Vidal-Hall v Google, a case which concerned the collection by Google of information about the internet usage of Apple Safari users by cookies. Google appealed the High Court's decision to permit the claimants to sue Google for distress compensation without having suffered a financial loss.
On 27 March 2015, in a landmark decision, the Court of Appeal endorsed the High Court's approach, establishing a new tort of misuse of private information and, crucially, granted the claimants permission to pursue compensation for mere distress caused by breaches of the DPA under s.13(2) for the first time.
This decision is likely to have a huge impact on privacy law in the UK, paving the way for increasing claims in damages for data protection breaches. The sums obtained will invariably be small, but the potential for large volumes of these small claims will be a worry to companies controlling significant volumes of personal data. Google will seek to appeal the decision, and based on the Court of Appeal's comments that "whilst the damages may be small, the issues of principle are large," they may well get it.
Another case worth a mention is CG v Facebook, in which judgment was handed down in February this year. The Northern Irish High Court found that Facebook Ireland Ltd and an individual owner of a Facebook page misused the private information of the claimant, a convicted sex offender. Offensive personal comments were repeatedly posted on a Facebook page.
The claimant brought a claim against Facebook for misuse of private information, harassment and breach of the DPA. The Court held that Facebook was liable in respect of the postings, particularly on the basis that it had misused the claimant's private information by failing to delete the postings, even after the claimant had complained about them. The individual owner of the page was also held liable for misuse of the claimant's private information in his capacity as primary publisher of the information. Given the nature of the posts, he was also liable for harassment.
The Facebook case may also have led to a discussion on the meaning of damages and distress under s.13 DPA similar to that in Vidal-Hall, however as the claimant failed to prove that Facebook Ireland (which was incorporated in the Republic of Ireland) was "established" in the UK under s.5 DPA, the DPA was held not to apply.
Click the below headings to read more on each of the developments...
- MOU between ICO and FCA published
- Consultation on ICO corporate plan
- Court finds Max Mosley has possible DPA case against Google
- CMA consumer data review researchers appointed
- Police renew IFB anti-crime partnership
- Regulation of Investigatory Powers (Communications Data) (Amendment) Order 2015 (SI 2015/228)
- ICO reveal cookie sweep findings
- Microsoft the first to adopt ISO Code of practice for protection in public clouds
- WP29 release letter on scope of health data
- Enforced Subject access requests illegal from 10th March
- Government to make it easier for the ICO to fine nuisance call companies
- ICO undertakings
- ICO monetary penalties
EU Data Protection Regulation Developments
Council continues to work on EU Regulation Draft
Updates from around the World...
Key Dates Calendar
For more information on DAC Beachcroft please contact:
Rhiannon Davies, Associate
+44 (0) 20 7894 6577
You might also like ...
July 2014 update
Catch up with the latest cyber risk legislation and regulatory developments with the DAC Beachcroft Adviser Newsletter
Data protection and privacy is only one element of cyber risk and there have been a number of recent public and private sector initiatives which highlight the need to mitigate cyber risk from a business disruption perspective.