Is a wave of data breach litigation on the horizon?

by Egress
Published on 30th Apr 2021

The public often hear that their data is unsafe. But what can the average person really do if they discover their details have been leaked by a large organisation with a legal team on retainer?

The answer is quite a lot. GDPR has changed people’s perception of their rights and brought data privacy into the public eye. Now individuals are realising they have the power to fight back when their personal information is leaked in a breach.

This could have serious implications for how organisations handle sensitive data in the future, especially around widely used channels such as email. But just how concerned should businesses be?

The role of GDPR

We’re living in a time of elevated data protection, and 25th May 2021 will mark the third anniversary of the introduction of GDPR. Since it was introduced, businesses have been tasked with both a legal and ethical obligation to protect and secure customer data.

Egress recently hosted a webinar ‘Preventing email errors from leading to lawsuits,’ to explore the rising number of people banding together in litigation cases. Egress Chief Product Officer Sudeep Venkatesh spoke about the impact GDPR has had on class action lawsuits, specifically with regards to data breaches.

He explained, “As data privacy has emerged over the past few years, it’s become clear that businesses will be fined and undergo reputational damage. But now litigation and collective action could also happen where you have groups of people suing you because you broke a promise to safeguard their data.”

Almost all organisations will be aware of the penalties of falling foul of GDPR – but now they need to also prepare for a wave of potential legal action from consumers too. Stories about litigation over data breaches are becoming more common, with some even referring to it as the ‘new PPI.’

Have you been mis-sold PPI?

It’s a phrase many in the UK will have seen or heard on legal adverts over the past decade. PPI (Payment Protection Insurance) was originally created to protect your loan or credit card repayments for a year in the event of sickness, unemployment, or an accident.

However, it turned out the methods used to sell it were far from above board – and around 64 million policies were sold between 1990 and 2010. After consumer champions fought for the public to be able to claim that money back, hundreds of thousands of claims were made. Some individual pay outs reached up to £250,000.

Litigation culture has always been more associated with the US than the UK, but PPI has caused a permanent shift. It led to the introduction of a “no win, no fee” claim culture where consumers had the opportunity for a pay-out with zero risk to themselves.

And now, we may be on the brink of a similar scenario with data breach victims. As the public become more aware of their rights on data protection, this could be a dangerously expensive trend for businesses who leak data.

While PPI was only really a concern for businesses within the financial services industry, data breach litigation could impact any organisation that handles and shares sensitive information. A new phrase might soon enter into common legal vocabulary – have you been the victim of an email data breach?

The growing risk of sharing data by email

What should be of most concern to businesses, is just how easily data can be leaked through human error. It often only takes a single email. Of the 2,594 data breach incidents reported to the Information Commissioner’s Office (ICO) in the second quarter of 2020, 402 were instances of data being emailed to the wrong person.

In September 2015, an email was sent from 56 Dean Street (a central London sexual health clinic) disclosing the names and email addresses of almost 800 patients using its HIV services. The mistake? Recipients were supposed to be blind-copied into the email, but CC was used instead. Now the worst-hit victims could be in line to receive damages of up to £30,000.

Despite the warning signs, outbound email data breaches continue to happen at a high rate. Egress research found that 93% organisations have seen an outbound email data breach in the last 12 months. On top of that, a post-pandemic remote working culture will only make breaches more likely.

Egress’ recent report into remote working found that 80% of remote workers share sensitive data with clients and colleagues via email, and 60% still work in domestic spaces with frequent distractions and interruptions. 68% percent of the surveyed IT leaders believe a remote workforce will mean more email data breaches in the future.

While it’s unlikely every breach will lead to mass litigation, this is an area of risk in an increasingly litigious culture that businesses cannot ignore.

More litigation on the horizon?

Data breach litigation is something that could hit any business that handles sensitive data, regardless of industry. Now is the time to take consumer litigation seriously: the potential for large pay-outs is a reality that companies need to grasp before they are caught out by something as simple as a misdirected email.

Stewart Room, Global Head of Data Protection & Cyber Security at DWF Law LLP, had this to say at the recent Egress webinar: “In the context of a big breach, you have to work on the basis that it is going to attract group litigation or representative action.”

“I think it is going to be the hallmark of the next 20-year cycle of data protection and security. You cannot presume that the ICO and other regulators are going to go easy on every company that pleads the case of stressed and overwhelmed employees, and it is well worth considering that regulatory fines are not going to be the only financial impact of a data breach.”

“As those people who were impacted begin to come together and take action, organisations should be more aware of litigation as a growing consequence of data breaches.”

If you’d like more insight from Sudeep and Stewart, you can watch the full webinar for free and on-demand here.