Move over PPI, data breach claims are coming

It’s been almost impossible to ignore the ‘Payment Protection Insurance’ (PPI) scandal in recent years. Due to the countless adverts and cold-callers contacting those who may have been affected, consumers have been well-informed about the PPI mis-selling saga which has seen financial institutions pay out more than £35bn in compensation. However, with the deadline for making PPI claims coming in 2019, are we set to see a shift towards claims companies and law firms taking more of an interest in representing those who have had their details compromised in a data breach?

9.4M people were recently reported to have had personal data compromised by the airline Cathay Pacific, and following this law firm SPG set up a website up for those who had their details stolen, and encouraged them to take part in a group lawsuit against the travel provider. With data breaches still happening on an almost daily basis, could this sort of legal action become commonplace and  open the floodgates for claims for all breaches of data privacy law? Naaman Hart, managed services security engineer at Digital Guardian, believes that this could be the case:

“I believe that data protection lawsuits (private and class action) could be a real issue for companies in the future. When GDPR was launched the primary fear seemed to be directed at fines from the regulator that – while high (€20 million or 4% annual global turnover) – don’t represent the true financial risk of a breach.  In the event of a breach, multiple individuals could group together under a class action lawsuit that has no theoretical maximum in terms of a pay-out. The number of parties possibly affected, the types of data that can be lost, the need to notify all affected parties and other criteria all point towards a perfect storm in favour of exorbitant pay-out costs.

“Due to this, GDPR ‘Ambulance Chasers’ are an extremely likely outcome in the short to medium term.  As test cases are put forward and come to conclusion, it will either encourage more firms to take part in ‘no win, no fee’ litigation or it will taper off if the financial outcome isn’t in favour of the legal firms.

“Ultimately, we have to wait and see what the outcome of the first few cases is, while acknowledging the very plausible risk that’s represented by personal claims under GDPR.”

Public knowledge of data privacy has arguably never been better and this will mean consumers are wise to their rights, which could see this trend takeoff.  Jo Blazey, Global Data Governance Officer, Commvault also believes that the wide coverage of data breaches in the media, will only make people more aware and likely to act on this information:

“I think we will see more group actions as a result of the almost daily headlines of data breaches and the increasing awareness of individuals about their rights in relation to personal data.  The recent high court ruling in Lloyd v Google LLC has however potentially made it harder to bring a group action for breach of data protection legislation with its clarification that each member of the group needs to have the ‘same interest’ in the claim.

“The best preparation for an organisation worried about the risk of a group action is to minimise the risk of the data breach occurring in the first place through a data protection and privacy programme that builds and sustains a culture of handling personal data with care.”

With data driving business more than ever before, and it even being touted as more valuable than oil, it is a crucial asset, and one that needs to be given the protection it deserves. Neil Stobart, VP of Global System Engineering, Cloudian accepts there are challenges that businesses will face, but that they need to tackle them:

“Data is key to business success but also entails financial and reputational risk should a breach occur. It is unsurprising, therefore, that protecting this asset has become more important than ever.

“However, data protection is now significantly more challenging, given the continued explosion of data volumes and demand for instant accessibility, alongside more stringent retention and compliance requirements. Unfortunately, legacy technology and infrastructure often can’t meet these challenges, resulting in excessive backup times — or in some cases, backup failure — as well as an inability to meet recovery objectives.

“A modern data protection strategy requires a storage foundation that delivers the right balance of performance, availability and cost for today’s demands, including the ability to scale as an organisation and its data grows. This foundation will increasingly entail a mix of public and on-premises private cloud, with the ability to manage data seamlessly across all environments.”

With GDPR introduced just over six months ago, we are now just starting to see some of the fallout and lawsuits are just one of the ramifications that could develop in the next year. 2019 is set to be a big year for GDPR and data regulation all over the world as consumers and businesses wise up to their rights and both expect and demand their data is protected, so now more than ever, it needs to be at the top of every business’ agenda.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.