Cyber Risk Legal Update - APRIL 2015

DAC Beachcroft Adviser Newsletter

APRIL 2015 Cyber Risk legal update

Cyber Insurance, Privacy and Data Security Newsletter

Civil litigation for compensation arising out of data breaches has a greater prevalence in the US and is often cited as one of the reasons why cyber insurance take up has been slower in the rest of the world.

LinkedIn recently settled a class action for damages arising out of the 2012 hack in which approximately 6.5 million passwords were stolen by Russian cybercriminals. The firm agreed to pay $1.25m to US plaintiffs who purchased a premium subscription on the basis that they were influenced by LinkedIn's statements about its security measures. A website has been set-up for compensation claims.

In the UK however, data protection, privacy and cyber issues are rarely litigated. However, litigated claims for compensation appear to be on the rise, with a number of recent cases dealing with the thorny issue of whether compensation for moral damage ought to be available to victims of data breaches if they have not suffered a financial loss.

In our December edition, we reported on the first day of the Court of Appeal's hearing of Vidal-Hall v Google, a case which concerned the collection by Google of information about the internet usage of Apple Safari users by cookies. Google appealed the High Court's decision to permit the claimants to sue Google for distress compensation without having suffered a financial loss.

On 27 March 2015, in a landmark decision, the Court of Appeal endorsed the High Court's approach, establishing a new tort of misuse of private information and, crucially, granted the claimants permission to pursue compensation for mere distress caused by breaches of the DPA under s.13(2) for the first time.

This decision is likely to have a huge impact on privacy law in the UK, paving the way for increasing claims in damages for data protection breaches. The sums obtained will invariably be small, but the potential for large volumes of these small claims will be a worry to companies controlling significant volumes of personal data. Google will seek to appeal the decision, and based on the Court of Appeal's comments that "whilst the damages may be small, the issues of principle are large," they may well get it.

Another case worth a mention is CG v Facebook, in which judgment was handed down in February this year. The Northern Irish High Court found that Facebook Ireland Ltd and an individual owner of a Facebook page misused the private information of the claimant, a convicted sex offender. Offensive personal comments were repeatedly posted on a Facebook page.

The claimant brought a claim against Facebook for misuse of private information, harassment and breach of the DPA. The Court held that Facebook was liable in respect of the postings, particularly on the basis that it had misused the claimant's private information by failing to delete the postings, even after the claimant had complained about them. The individual owner of the page was also held liable for misuse of the claimant's private information in his capacity as primary publisher of the information. Given the nature of the posts, he was also liable for harassment.

The Facebook case may also have led to a discussion on the meaning of damages and distress under s.13 DPA similar to that in Vidal-Hall, however as the claimant failed to prove that Facebook Ireland (which was incorporated in the Republic of Ireland) was "established" in the UK under s.5 DPA, the DPA was held not to apply.

For DAC Beachcroft cyber updates, please follow us at @legallnutt and @hillegal1970.

For DAC Beachcroft privacy updates, please follows us at @DACBprivacy.

Click any of the links below to read more ...

UK Developments

Click the below headings to read more on each of the developments...

EU Data Protection Regulation Developments

  • Council continues to work on EU Regulation Draft

Updates from around the World...

Key Dates Calendar

Key date



10 March 2015

Enforced subject access requests became unlawful.

Financial service companies are advised to note the date on which enforced subject access requests are to be made unlawful and to take early action to ensure that enforced subject access requests are no longer requested.


Findings of ICO triennial review expected to be released.

Watch for updates.


Adoption of a final text of the Data Protection Regulation.

Watch for updates.


For more information on DAC Beachcroft please contact:

DAC Beachcroft Adviser Newsletter

Rhiannon Davies, Associate

+44 (0) 20 7894 6577

[email protected]