Simon Fawell, partner and disputes lawyer, and associate Alasdair Marshall, at Signature litigation, explain the current key cyber-litigation risks for UK business.
The threat of mass claims through ‘opt-out’ class actions has receded but has not been extinguished. The decision of the UK Supreme Court in Lloyd v Google late last year stopped in its tracks an attempt to bring this type of claim. However, it’s not an end to the prospect of ‘opt-out’ class actions in the UK. Several other data privacy class actions are still running through the English courts and are being framed to try to avoid the pitfalls that brought down Lloyd. In any event, the direction of travel is becoming clear and there is increasing pressure for individuals impacted by data breaches to be compensated. As a result, it would not be surprising to see some form of opt-out class action regime being introduced in the relatively near future for data privacy cases in the UK.
While class actions present a risk through sheer volume of claimants, another key risk is where very high value corporate data is potentially compromised. The GDPR (and related UK legislation) has increased awareness of data privacy issues and contractual clauses dealing with data issues have become more sophisticated and fiercely negotiated as a result. Where company critical or market sensitive information is lost, the damage can be extremely high. For example, were an intermediary or agent to have a breach incident and lose trade secrets or information that is potentially very damaging to another company’s reputation, which could lead to major litigation. In recent years, the Panama Papers, Solar Winds and Credit Suisse incidents highlight a growing trend toward hackers seeking to obtain sensitive information and publish it to the market.
Directors and CISOs?
It’s not just the companies that fall victim to a breach that could find themselves on the wrong end of a claim. Individual directors of those companies could also find themselves targeted by shareholders for breach of duty where insufficient steps were taken to prevent a breach or the breach was handled badly. Aside from the prospect of large damages awards or regulatory fines (up to 4% of global turnover under the GDPR) hitting the bottom line, the reputational fallout from a breach can wipe millions from the companies’ valuation (Equifax’s stock price reportedly dropped by around USD 5.3 billion following its high-profile breach in 2017). Shareholder actions against directors have been on the rise in the UK and, where a data breach has led to a drop in value for shareholders, claims against directors are increasingly being considered. This mirrors the trend in other jurisdictions such as the US where CISO’s have already been the subject of high-profile claims for breach of duty.
Minimising litigation risk
When a breach happens there is a race against the clock to minimise its impact; secure systems; meet regulatory reporting requirements (there is a 48-hour requirement under the GDPR); and ensure that communication to affected individuals/companies and the market hits the mark. Many companies lose valuable time because they don’t know whether the authority to instruct legal counsel and forensic teams lies with the CISO, the Board or the General Counsel. Preparation can go from making sure there is a clear written plan in place all the way through to a full simulated breach exercise. There are key questions which, at a minimum, should be considered:
- Which key advisors should be contacted (e.g. lawyers and forensics) and who has responsibility for instructing them?
- What are the internal lines of communication? If the system is down, how do key personnel handling the breach communicate securely?
- What do the data privacy clauses in contracts with counterparties require? Are there notification requirements in those contracts?
- How will you communicate with those affected? Are you likely to have to notify thousands of individuals or a handful of corporates?
Know and understand your insurance
It is essential to know in advance what will be covered by your cyber policy and how it operates. For example, does your policy have an overall cover limit but smaller limits within that for different types of loss? What are the notification requirements? Generally, the sooner you contact your insurers following a potential breach, the better.
Maintain a clear audit trail
It is essential for those handling the breach to be clear what information should (and should not) be recorded in the immediate aftermath and which communications will/will not be protected by legal privilege. It is important to have an audit trail of what key decisions were taken and why. However, the pressure of handling a breach, often combined with a misunderstanding of what legal privilege will cover, can lead to ill-judged comments being made in emails which would be disclosable in later litigation and may be unhelpful. Aside from being reminded of the position on legal privilege, key personnel handling the breach should think carefully about how their comments may be viewed later through the prism of litigation and, accordingly, whether those comments should be made in person rather than committed to writing in an email.