Download the PDF
Data trends 2024
Data trends 2024
Chapter 6: Growing risk of data litigation
By Richard Bird, Mark Egeler, Adam Gillert, Daniel Gold, Catherine Greenwood-Smith, Timothy Howard, Severin Kehrer, Fiona McHugh, Adam Silow, Rhodri Thomas and Christoph Werkmeister
IN BRIEF
Well-publicised and extensive data breaches have always carried the risk of costly and reputationally damaging mass litigation, and such claims continue apace. Add into the mix recent trends—such as the rise in other data-related litigation (where no data breach occurred), an increasingly onerous regulatory environment, more active plaintiff law firms, and companies going on the offensive to protect their data—and it is clear why data litigation has, and will remain, a primary area of concern for many general counsel.
This article identifies four recent trends that have increased the risk of data litigation for global businesses, and explores what actions organisations should take to address them.
Companies suffering data breaches have always faced a risk of litigation, but this risk has markedly increased in recent years.
Plaintiff law firms are becoming more active in this field, in part due to the significant increase in plaintiff-side mass claims funding and the ease of identifying and recruiting potential plaintiffs. It is becoming increasingly common for litigation proceedings to be issued earlier, and in parallel with regulatory proceedings.
In addition, plaintiff firms, particularly in Germany and Austria, often bring hundreds, or even thousands, of individual actions in parallel; thereby creating, in effect, an informal class action and an immense administrative burden on businesses and courts.
Companies often underestimate the risk of having to defend hundreds or thousands of separate claims. With such large numbers, it is likely that in at least a handful of cases the plaintiffs will win (at least at first instance), which plaintiff firms publicise to help their recruitment campaigns. In Germany, this is fuelled by the majority of individuals having legal claims insurance, which covers any litigation-related costs regardless of the outcome. This means that for plaintiffs, litigation is a win-win.
Severin Kehrer
Principal Associate
This trend is likely to be exacerbated in the US by the Securities and Exchange Commission’s (SEC) new cybersecurity disclosure rules, which require all US reporting companies to disclose material cybersecurity incidents within four business days of the company’s determination that they experienced such an incident. The new rules also require foreign private issuers to disclose material cyber incidents to the SEC if they are already required to:
As part of the disclosure, companies must describe material aspects of the nature, scope, and timing of the incident, as well as the material (or reasonably likely) impact on the company, including its financial condition and results of operations. Companies making such mandatory disclosures are likely to face an increase in scrutiny and litigation risk from investors and consumers.
The UK Supreme Court decision in Lloyd v Google made opt-out UK General Data Protection Regulation (GDPR) mass claims much harder to bring in England & Wales and few opt-out claims in England & Wales have got off the ground since this judgment. However, case law in this area is still embryonic and several funders and plaintiffs are testing where the courts will set the boundaries and parameters.
The recent EU Court of Justice decision in Austrian Post was, in some senses, a blow to low-value claims in the EU, since it determined that the mere infringement of the EU’s GDPR does not in itself confer a right for compensation. However, the court declined to set an EU-wide minimum threshold for the seriousness of non-material damage required to bring a claim, leaving it open for national courts to decide.
In the US, a frequent threshold hurdle for data breach plaintiffs is satisfying the federal standing requirements, specifically that of ‘injury-in-fact’. Recently, US courts have applied the 2021 US Supreme Court’s holding in TransUnion v Ramirez—that the mere risk of future harm on its own cannot qualify as a concrete harm—in the data breach context to dismiss data breach claims that are insufficiently concrete. However, we are seeing a divergence among federal courts in the US. Some courts are distinguishing TransUnion on procedural grounds or finding sufficiently concrete harm, to allow data breach claims to proceed.
The nascent nature of jurisprudence in this area creates fertile ground for plaintiffs looking to test the boundaries of privacy law. Many funders are aware of this and the opportunities it creates.
Rhodri Thomas
Partner
Although these recent UK, EU and US judgments have posed a challenge to data-related mass claims, a number of new laws have been passed that are in a potential claimant’s favour.
In the US, new state laws incentivise plaintiffs to bring claims by providing an avenue to obtain statutory damages for data breaches even in the absence of damages to the individual. For example, the California Consumer Privacy Act provides plaintiffs with statutory damages of up to US$750 per impacted individual where they can show that the breach was the result of a business’s failure to maintain reasonable security procedures and practices.
The new Representative Actions Directive (RAD) requires EU Member States to have a domestic procedural mechanism for collective redress and is expected to increase the number of data-related collective actions. Nevertheless, the need to evidence non-material damage may still be a major obstacle in some cases.
The Netherlands in particular is becoming a go-to-jurisdiction for plaintiff lawyers in data-related litigation. A commonly heard saying is ‘the data protection regulator cannot do it alone’, and that private enforcement must become more mainstream—this is obviously concerning for companies that are working on complying with a patchwork of data-related legislation.
Mark Egeler
Senior Associate
While hacks, cyber attacks and ransomware often grab the headlines, that is far from where data litigation ends.
There has been a rise in litigation relating to cross-border data transfers, misuse of personal data, online safety and shortcomings in privacy policies. Data scraping is another area that litigants have focused on recently; from third parties scraping data from websites, to privacy and digital rights organisations filing complaints against companies for scraping images for facial recognition technology. In the US, recent class actions have been brought for the use of mass data scraping for the purpose of training artificial intelligence (AI) large language models.
As data-related laws and regulations (such as those concerning AI) develop, the scope for new grounds of legal challenges are likely to emerge.
While plaintiffs in data litigation cases are often consumers or privacy campaigners, it is increasingly common to see businesses affected by breaches, unauthorised data scraping or hackers acting against malicious third-party actors.
There are a wide variety of protective and reactive steps available to businesses, depending on the nature of the incident. These include:
The potential risks arising from data-related litigation are complex and wide-ranging, and the legal and regulatory landscape is changing rapidly.
Litigation risk is often understandably low on an organisation’s worry list in the immediate aftermath of a data-related incident. However, there is often much that can be done in that time and the following weeks in order to mitigate litigation risk.
Responding to complex legal claims and regulatory inquiries in parallel:
The difficulties in handling regulatory inquiries and litigation in parallel are not to be underestimated.
In our experience, businesses that turn their minds quickly to these issues, including taking offensive steps where helpful, are often the ones that have the best prospects of defending claims, or avoiding being sued altogether.