APRIL 2015 Cyber Risk legal update

Cyber Insurance, Privacy and Data Security Newsletter

Civil litigation for compensation arising out of data breaches has a greater prevalence in the US and is often cited as one of the reasons why cyber insurance take up has been slower in the rest of the world.

LinkedIn recently settled a class action for damages arising out of the 2012 hack in which approximately 6.5 million passwords were stolen by Russian cybercriminals. The firm agreed to pay $1.25m to US plaintiffs who purchased a premium subscription on the basis that they were influenced by LinkedIn's statements about its security measures. A website has been set-up for compensation claims.

In the UK however, data protection, privacy and cyber issues are rarely litigated. However, litigated claims for compensation appear to be on the rise, with a number of recent cases dealing with the thorny issue of whether compensation for moral damage ought to be available to victims of data breaches if they have not suffered a financial loss.

In our December edition, we reported on the first day of the Court of Appeal's hearing of Vidal-Hall v Google, a case which concerned the collection by Google of information about the internet usage of Apple Safari users by cookies. Google appealed the High Court's decision to permit the claimants to sue Google for distress compensation without having suffered a financial loss.

On 27 March 2015, in a landmark decision, the Court of Appeal endorsed the High Court's approach, establishing a new tort of misuse of private information and, crucially, granted the claimants permission to pursue compensation for mere distress caused by breaches of the DPA under s.13(2) for the first time.

This decision is likely to have a huge impact on privacy law in the UK, paving the way for increasing claims in damages for data protection breaches. The sums obtained will invariably be small, but the potential for large volumes of these small claims will be a worry to companies controlling significant volumes of personal data. Google will seek to appeal the decision, and based on the Court of Appeal's comments that "whilst the damages may be small, the issues of principle are large," they may well get it.

Another case worth a mention is CG v Facebook, in which judgment was handed down in February this year. The Northern Irish High Court found that Facebook Ireland Ltd and an individual owner of a Facebook page misused the private information of the claimant, a convicted sex offender. Offensive personal comments were repeatedly posted on a Facebook page.

The claimant brought a claim against Facebook for misuse of private information, harassment and breach of the DPA. The Court held that Facebook was liable in respect of the postings, particularly on the basis that it had misused the claimant's private information by failing to delete the postings, even after the claimant had complained about them. The individual owner of the page was also held liable for misuse of the claimant's private information in his capacity as primary publisher of the information. Given the nature of the posts, he was also liable for harassment.

The Facebook case may also have led to a discussion on the meaning of damages and distress under s.13 DPA similar to that in Vidal-Hall, however as the claimant failed to prove that Facebook Ireland (which was incorporated in the Republic of Ireland) was "established" in the UK under s.5 DPA, the DPA was held not to apply.

---

UK Developments

Click the below headings to read more on each of the developments...

• MOU between ICO and FCA published 
• Consultation on ICO corporate plan 
• Court finds Max Mosley has possible DPA case against Google 
• CMA consumer data review researchers appointed 
• Police renew IFB anti-crime partnership 
• Regulation of Investigatory Powers (Communications Data) (Amendment) Order 2015 (SI 2015/228) 
• ICO reveal cookie sweep findings 
• Microsoft the first to adopt ISO Code of practice for protection in public clouds 
• WP29 release letter on scope of health data 
• Enforced Subject access requests illegal from 10th March 
• Government to make it easier for the ICO to fine nuisance call companies 
• ICO undertakings 
• ICO monetary penalties

EU Data Protection Regulation Developments

• Council continues to work on EU Regulation Draft

---

Updates from around the World...

• Portugal - unprecedented sentence in Portugal: court accepted the dismissal of an employee for offenses posted on Facebook

• Taiwan - outline of personal information protection issued

• Spain - Spanish national court confirms that data protection infringements are retained post-merger

• Singapore - first annual report of personal data protection commission published

• Japan - the basic act of cybersecurity passed by national diet

• Hong Kong - privacy commissioner action against APP Developers

• Greece - authorisation of disclosure of sensitive data to a third party for judicial purposes

• Australia - failure to notify customers of data beach may result in investigation

• South Korea - guidelines on data protection for big data released

• Japan - new guidelines on personal information protection act

• Russia - update on Russia data protection law

• China - new measures clarify requirements for companies when dealing with consumers’ personal information

• Denmark - data security requirements in relation to personnel administration set out by Danish data protection agency

• Thailand - new Cybersecurity Bill

• Czech - increased protection of personal data on trade licensing register

• Australia - guide to securing personal information issued

• US - presidential cybersecurity agenda

• South Korea - KCC to file criminal complaint against Uber

• Germany – German data protection commissioners speak out against safe harbor

• Japan - Benesse data breach affects one third of population

• China - new cybersecurity regulations for banking sector

• Singapore - new Singapore cybersecurity agency

• Asia Pacific - new cross border certification system agreed by APEC

• Germany - draft bill published aimed at strengthening protection of consumers’ personal data

• Canada - privacy commissioner releases research report on cybersecurity

• Austria - from official secrecy to freedom of information?

Key Dates Calendar

Key date Issue Action  10 March 2015 Enforced subject access requests became unlawful. Financial service companies are advised to note the date on which enforced subject access requests are to be made unlawful and to take early action to ensure that enforced subject access requests are no longer requested. 2015 Findings of ICO triennial review expected to be released. Watch for updates. 2016 Adoption of a final text of the Data Protection Regulation. Watch for updates.

For more information on DAC Beachcroft please contact: