Legal Business Blogs

Sponsored briefing: As data breach becomes a battleground for class action litigation, companies need to take a risk-based approach to cyber security

The pandemic and GDPR regimes have heightened the litigation risk presented by data breaches and other cyber security issues in recent years.

Cyber attacks have grown in number and sophistication as businesses relied more than ever on technology to deliver their products and as remote working became the norm. According to a UK government report1, two in five businesses in Britain suffered cyber security attacks in the 12 months to March 2021, with an attached cost of £13,400 on average per data breach for medium and large companies.

Litigation routes for those pursuing data breach claims through the courts have also expanded, with collective actions gaining momentum in Europe recently.

The number of class action increased by 120% between 2018 and 20202 as new legal frameworks emerged, with data breach claims against Facebook and TikTok being filed in the Netherlands3 and against Google and British Airways in the UK, to name a few. The advancement is set to continue as EU member states implement the EU’s Representative Action Directive by the end of 2022.

A recent survey conducted by Alvarez & Marsal and Legal Business suggests that corporate lawyers are mindful of this development. In fact, 85% of in-house lawyers interviewed said that data breach was the area most likely to give rise to class action or group litigations.

In addition, tech and telecommunication is seen as the sector most exposed to such claims, followed by financial services and tourism, according to the survey. Respondents also expect the rapid growth in third-party litigation funding to support an increase in cases.

Lloyd v Google did not close the door for data breach class actions

The predicted uptick in collective actions is particularly remarkable given the Supreme Court decision on the Lloyd v Google case, which ruled in favour of the technology company last November. The pivotal case assessed whether an opt-out representative group action could proceed against Google on a breach of privacy laws.

While the decision may have been welcomed by many businesses, it does not mean that the door for data breach class action has been closed completely. In fact, the judgment clarified important points about representative actions and indicated other formulation of claims which would have been successful.

It is also important to remember that collective action pursued under an opt-in regime remains a route open to claimants affected by data leaks, as recent cases involving Virgin Media and EasyJet in the UK show.

Another reason for businesses to be vigilant about their data security litigation risks is simply the growing scale and scope of threats. Ransomware cases in particular have spiked since the pandemic, with criminals broadening their targets to include companies in sectors as varied as food manufacturing and airport operations. In the US, several class action lawsuits are already popping up following high-profile ransomware attacks.

Third-party relationships are also providing fertile ground for cyber attacks, with a marked rise in breaches occurring through companies’ software supply chains. And to make matters worse, there are growing concerns about a potential cyber security fallout resulting from the Ukraine conflict.

Moving cyber security compliance from box-ticking to a risk-based approach

While cyber security breaches could be seen as a virtual inevitability in this rapidly changing scenario, there are proactive measures a business can take to mitigate the risk of finding itself the subject of a data breach class action.

Regulatory compliance should naturally be the starting point for any business aiming to minimise the menace of cyber security attacks and ensuing group litigation.

However, having a GDPR-compliant system in place is not enough. To stay ahead of today’s evolving threats, companies need to move from a box-ticking approach to cyber security to a risk-based one whereby investments and efforts are defined and prioritised through a cost/benefit analysis.

This means protecting critical information in line with the business impact – financial, reputation and compliance – they could have in the event of losing the confidentiality, integrity or availability of consumer data. Such approach will help identify individual risks and assign a level of criticality to each asset so that a clear strategy to prevention and response to attacks can be developed, and resources can be prioritised accordingly.

The risk-based framework should cover technology, processes and organisational aspects needed to protect personal data and prevent it from falling into wrong hands. If a breach does occur, this enterprise-focused approach will help the company respond rapidly, which is therefore crucial to contain the damage and minimise the scope of any group litigation in the future.

As data breaches continue to emerge as an attractive new battleground for disputes, corporates must remain alert. Embedding cyber security into general business risk management is the way forward for companies looking to rise to the challenge of improving their cyber defences and insulating themselves from class action claims.

By Lorenzo Grillo, managing director with Alvarez & Marsal’s disputes and investigations practice in London.