Class Actions and Governmental Regulation as a Regulatory Tool For Privacy and Data Security Violations: The U.S. and U.K. Experience

Data breaches are prevalent in today’s marketplace. In the United States, since 2005, over 3,000 data breaches have been publicly reported, exposing over 560,000,000 individual records. ¹Privacy Rights Clearing House, Chronology of Data Breaches, www.privacyrights.org/data-breach (last visited June 14, 2012). They are also expensive. Setting aside the damage and injury to goodwill, and potential difficulty for outsiders to place a value on a data breach without complete information, it is thought that in 2010, U.S. data breaches cost companies an average of $7.2 million per data breach event. ²Ponemon Institute, 2010 Annual Study: U.S. Cost of a Data Breach, available at http://www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher. The most expensive breach likely cost $35 million. ³Id. In the same year in the U.K., data breaches cost organizations an average of £1.9 million ($3 million) or £71 ($110) per record, an increase of 13 percent on 2009, and 18 percent on 2008. The incident size ranged from 6,900 to 72,000 records in the U.K., with the cost of each breach varying from £36,000 ($56,000) to £6.2 million ($9.7 million). The most expensive incident increased by £2.3 million ($3.6 million) compared to 2009.

Likewise, in the U.S., litigation over privacy violations has recently garnered great attention. In March of this year, plaintiffs in Texas filed a putative class action against 18 high-profile mobile application companies—including Apple, Twitter, Facebook, LinkedIn, Yelp, and Electronic Arts—alleging various privacy violations. ⁴Opperman v. Path, Inc., No. 12-219 (W.D. Tex. filed March 12. 2012). U.S. states are actively passing new privacy-protection statutes and companies must be up-to-date with the most recent regulations. In the U.K., the statutory landscape is more mature, but recent events may point at more litigation in the future, as described below.

In short, the prevalence and cost of data breaches and privacy violations are impossible to ignore. It is important for attorneys and corporations to understand the legal and regulatory landscape surrounding these developing fields. It may be instructive to compare the U.S. with European (specifically the U.K.) experience, where a legal system with an ostensibly similar background has taken a different approach to data breaches and privacy violations.

I. What Are We Talking About Here?

At the outset, it is important to define precisely the scope of what is being discussed. Two categories of data violations exist: data security breaches and privacy violations. Data security breaches involve a company losing a third party’s personal records or information that were provided (either knowingly or unknowingly) to the company. Data security breaches are generally the result of omissions (e.g., failing to employ adequate cyber security measures), accidents (e.g., losing a laptop or cell phone that contains customer records or employee information), or intentional acts by third parties (e.g., hacks and thefts). Allegations of privacy violations, on the other hand, generally focus on affirmative acts by companies: collecting and/or selling customers’ personal information in violation of government regulations or self-proclaimed policies.

In the U.S., the two categories are remedied by different laws. Typically, data breach cases are enforced through negligence, contract, or other state common-law claims. Additionally, almost all U.S. states have enacted security breach notification statutes that place disclosure obligations on corporations and, in some cases, create new remedies for affected consumers. ⁵See, e.g., Tex. Bus. & Comm. Code Ann. §521.053 (requiring a business licensed in the state to disclose to consumers any instance of data security breach that may have exposed sensitive, personal information).

In the U.S., privacy violations are usually enforced through statutory causes of action. There are numerous U.S. federal statutes that protect consumers’ private, electronically stored information: the Stored Communications Act, ⁶18 U.S.C. §2702. Computer Fraud and Abuse Act, ⁷18 U.S.C. § 1030. Electronic Communications Privacy Act, ⁸18 U.S.C. § 2510. Video Privacy Protection Act of 1988, ⁹18 U.S.C. § 2710. and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule ¹⁰45 C.F.R. § 160. are just a few. Within the past 10 years, states have also begun enacting legislation to protect private information. ¹¹See, e.g., Cal. Civ. Code §§1798.83–.84 (requiring all nonfinancial businesses to disclose to consumers the types of personal information the business shares with or sells to a third party). These privacy statutes provide the most common basis for prosecuting privacy violations. Alternatively, state and federal consumer protection statutes may also provide a means to enforce companies’ compliance with their own privacy policies. For instance, the well-known 2011 Federal Trade Commission (FTC) complaint against Facebook alleged that the company deceived consumers, in violation of the Federal Trade Commission Act, by publicizing privacy policies and settings that it did not follow. ¹²Complaint, In re Facebook, available at
http://ftc.gov/os/caselist/0923184/111129facebookcmpt.pdf.

In the U.K., the legal landscape is simpler, but nevertheless imposing. All aspects of data protection, including both data breaches and privacy violations, fall within the scope of EU Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” known as the Data Protection Directive. ¹³Council Directive 95/46/EC, art. 1, 1995 O.J. (L 281) 31 (EU), available at
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. As a European Directive, this piece of EU law does not have direct effect in EU Member States, requiring instead implementation in each individual country. (This has led to variation in the way the law has been implemented across Europe—as has the way in which national courts have interpreted the Directive.) In the U.K., the Data Protection Directive was implemented through the Data Protection Act 1998 ¹⁴U.K. Data Protection Act [hereinafter U.K. DPA], 1998 c. 29, available at
http://www.legislation.gov.uk/ukpga/1998/29/contents. (DPA) which superseded the U.K.'s earlier Data Protection Act 1984.

The Data Protection Directive imposes an onerous and extensive regulatory regime, placing broad obligations on those who collect and process personal data. The Directive also aims to give broad rights to individuals in relation to the processing of their data. In incorporating the Data Protection Directive into U.K. law, the whole of Part 2 of the DPA relates to “rights of data subjects and others,” and includes sections dealing with the right of access to personal data, the right to prevent processing likely to cause damage or distress, the right to prevent processing for purposes of direct marketing, rights in relation to automated decision-taking, rights of data subjects in relation to exempt manual data, and, crucially for the purpose of this article, compensation for failure to comply with certain requirements. ¹⁵See U.K. DPA §§7, 10, 11, 12, 12A, 13.

II. Class Actions as a Regulatory Tool:
The Experience in the United States

As a general rule, class actions centered on data breaches and privacy violations face a key hurdle to success in the U.S. Plaintiffs must prove the individuals affected by the breach were actually injured in some way. Therefore, not every breach or privacy violation results in a viable class action (or individual claim). Because of this hurdle, the most consistent risk aspect arising from a data breach or privacy violation is the cost of defending the class action, and the negative publicity generated by the filing of the class action in the first instance.

An often cited example of the injury rule is found in Pisciotta v. Old National Bancorp. ¹⁶499 F.3d 629 (7th Cir. 2007). The defendant, Old National Bancorp, collected personal information and data from its clients in the process of originating bank accounts. In 2005, the company hosting ONB’s website reported a security breach, and ONB sent written notice of the breach to its customers. ONB initiated an investigation, and, as the court described, the investigation indicated that “the intrusion was sophisticated, intentional and malicious.” ¹⁷Id. at 632. Two customers brought a putative class action against ONB, alleging that ONB negligently failed to adequately protect customers’ sensitive, personal information and that ONB breached implied contracts to protect the data.

To succeed on both their negligence and breach-of-implied-contract claims, the plaintiffs had to plead damages recoverable under state law. In other words, they had to prove an actual, compensable injury. In their attempt to do so, the plaintiffs claimed they had “incurred expenses in order to prevent their confidential personal information from being used and w[ould] continue to incur expenses in the future.” ¹⁸Id. At the crux of the case, the court held, was a determination whether “the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitute[d] an existing compensable injury and consequent damages required to state a claim for negligence or for breach of contract.” ¹⁹Id. at 635 (emphasis in original).

Ultimately, the court concluded: “Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.” ²⁰Id. at 639. In other words, speculative fear of a future identity theft—including the attendant costs of credit monitoring to protect against such theft—is not a compensable injury. Without something more concrete, a plaintiff’s claim cannot survive. Numerous courts have reached similar results. ²¹Ruiz v. Gap, Inc., 380 Fed. App’x 689 (9th Cir. 2010) (affirming summary judgment against plaintiff who alleged negligence claim from theft of laptop containing his personal data because he failed to offer sufficient evidence of damages to support his claim); Resnick v. Admed, No. 10-24513 (S.D. Fla. Apr. 5, 2011) (dismissing data-breach claims arising from the theft of laptops carrying personal data because the plaintiffs failed to state a cognizable injury); Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705, 712–13 (S.D. Ohio 2007) (granting summary judgment to defendant because the plaintiff failed to demonstrate compensable injury); Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006); Guin v. Brazos Higher Educ. Serv. Corp., No. 05-668, 2006 BL 18926 (D. Minn. Feb 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. 03-0185 (D. Ariz. Sept. 6, 2005).

Like most rules, however, exceptions exist. While speculative injury is uncompensable, courts have found circumstances that cross the line from speculative to actual risk of injury. Most notable is the First Circuit’s decision in Anderson v. Hannaford Brothers. ²²659 F.3d 151 (1st Cir. 2011). In Anderson, customers of Hannaford’s grocery stores brought suit following the theft of their electronic payment data by a third party. The court held that the purchase of credit insurance and credit monitoring services were actually reasonable efforts by the plaintiffs to mitigate damages. Because state law “encourage[d] plaintiffs to take reasonable steps to minimize losses caused by a defendant’s negligence,” the court allowed the plaintiffs to recover for their preventative expenses. ²³Id. at 162.

Anderson may be readily distinguishable from a run-of-the-mill data loss case. The Anderson court noted that the theft was a “large-scale criminal operation conducted over three months,” and involved the “deliberate taking of credit and debit card information by sophisticated thieves intending to use the information to their financial advantage.” ²⁴Id. at 164. By the time Hannaford acknowledged the breach, “over 1,800 fraudulent charges had been identified” and at least one plaintiff had experienced unauthorized charges to her account. ²⁵Id. at 164–65. In this case, the threat of future injury was not merely speculative, it was real—many customers had suffered actual injury and the court found that it was not unreasonable for the plaintiffs to expect the same. ²⁶Id. at 165. With these unique facts, the court allowed the plaintiffs to recover for the reasonable mitigation of purchasing credit insurance and monitoring.

Many data breach cases will not have such concrete injuries. Class actions, therefore, are not a guaranteed avenue of recovery or judgment exposure in breach and privacy violation cases. They are not, however, without cost to defendants: even unfounded lawsuits can be expensive. Accordingly, legal defense services account for 14 percent of U.S. data breach costs, accounting for around $1 million per event, on average. ²⁷Ponemon, supra note 2, p. 21. Unfortunately, companies that experience data security violations inevitably face these costs; and the lawsuits and costs of defense should provide strong incentive to enforce stronger policies and security measures.

III. The Real U.S. Enforcer:
Government Action, Forced Conduct, Fines

Class action plaintiffs face obstacles to recovery, but corporations should not expect to avoid penalty for data violations. The most daunting penalty has shifted from private, class recoveries to government enforcements. The FTC and state agencies are taking an active role in enforcing privacy legislation and providing stiff consequences for data security breaches. The new Consumer Financial Protection Bureau will likely follow suit.

The most recognizable instance of this trend is in the Facebook privacy litigation. In May 2011, a California Federal Court dismissed the putative class action—alleging statutory and common law claims for selling personal information to third-party advertisers—for failure to allege sufficient injury to state a claim upon which relief could be granted. ²⁸In re Facebook Privacy Litigation, 791 F. Supp. 2d 705 (N.D. Cal. 2011). At the same time, however, the FTC filed an eight-count complaint against Facebook for violating the Federal Trade Commission Act. ²⁹See Complaint, In re Facebook, supra note 12. The FTC alleged that Facebook engaged in deceptive trade practices by publicizing security settings and policies that it did not actually follow. The FTC settled with Facebook in November 2011. ³⁰Press Release, Fed. Trade Comm’n, Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises (Nov. 29, 2011), available at
http://ftc.gov/opa/2011/11/privacysettlement.shtm. In October 2011, the FTC settled a similar complaint against Google for violating its own security policies when it released Google Buzz. ³¹Press Release, Fed. Trade Comm’n, FTC Gives Final Approval to Settlement with Google Over Buzz Rollout (Oct. 24, 2011), available at
http://www.ftc.gov/opa/2011/10/buzz.shtm.

A seemingly innocuous term present in each of these settlements is worth a second look. Both Google and Facebook were required to conduct regular, independent privacy audits for the next 20 years. A significant difference between a civil lawsuit and an enforcement action is the potential addition of forced conduct in addition to monetary penalties. Regular, comprehensive, independent privacy audits are a costly imposition. They may be especially burdensome to less robust or sophisticated companies that do not have the resources of Facebook and Google. The trend towards forced conduct—imposing costly, time-consuming audits for as long as 20 years—is a shift in the regulatory landscape. It is a strong incentive to be familiar and compliant with emerging privacy regulations and data security measures.

Unlike civil litigants, state and federal regulators—such as from attorneys general, the FTC, and the CFPB—may not be forced to plead or prove that the parties affected by a breach suffered actual injury. Many statutes provide for the potential for fines and remedial conduct if a security breach or privacy violation resulted from a company running afoul of a regulating statute. In the United States, class actions will remain a threat to companies experiencing data breaches or privacy lapses. But the specter of a government investigation, costly in its own right, or a government enforcement action that could result in mandatory remedial conduct, as well as fines and penalties, is likely the more serious and more consistent threat to a company at the center of a big data issue.

IV. Strict Regulation:
The Experience in the United Kingdom

As already mentioned, in the U.K., §13 of the DPA expressly gives individuals the right to compensation for failure to comply with certain requirements of the Act. Section 13(1) provides that “[an] individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.” Going further, the same section also envisages compensation for distress, but generally only where some financial harm is also suffered. Section 13(2) provides that “[an] individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes.” (The “special purposes” are the purposes of journalism, artistic purposes and literary purposes.).

The authors of this article have been unable to find any reported case in which an individual has successfully recovered compensation under §13 for a data breach. Ignoring the fact that the U.K. is generally perceived as a less litigious environment than the U.S., the lack of successful claims under §13 may be attributed to a number of different factors. First, some cases may have quietly settled before being reported or publicized. Second, data controllers may have persuaded putative claimants not to sue by invoking the statutory defense in §13(3). This applies when a data controller has taken adequate measures: “In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.” More likely, however, is that putative U.K. claimants have faced the same legal obstacles that have faced those considering action in the U.S., i.e., the difficulty in showing actual damage of the sort recognized by the law. Put simply, the DPA does not allow for compensation without some tangible loss.

For example, in the only widely reported case brought under §13, ³²Johnson v. The Medical Defence Union Ltd. (2), [2006] EWHC (Ch) 321 (3 March 2006). a surgeon whose insurer withdrew his professional indemnity cover brought an action against the insurer under the DPA. He claimed that the insurer had processed his personal data unfairly (which would be a breach of the first data protection principle under the DPA). The judge found that the DPA applied, but that there had been unfair processing in only two out of 17 files that the insurer had opened on the surgeon. However, because the judge found that any unfairness in processing had not, on the balance of probabilities, had any impact on the insurer’s decision to withdraw cover, the unfair processing had not caused any damage to the claimant, who accordingly lost his claim to compensation under §13. ³³The claimant appealed to the Court of Appeal which refused the appeal, finding that the insurer’s manual selection of the files did not amount to processing for the purpose of the DPA. Thus, the claim was flawed regardless of whether or not the processing was fair or whether the surgeon was entitled to compensation for any damage he might have suffered.

Given the dearth of cases in which claims have been brought in the U.K. by the victims of data security violations and privacy violations of the sort described above, it is fair to say that the threat of civil litigation probably plays only a very small part in policing the use of personal data in the U.K.. What undoubtedly plays a much greater role is an active regulator that is willing to take action to enforce strict rules. That regulator is the Information Commissioner’s Office (ICO).

As the ICO’s website says: The Information Commissioner’s Office’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It rules on eligible complaints, gives guidance to individuals and organizations, and takes appropriate action when the law is broken. ³⁴Information Commissioner’s Office, www.ico.gov.uk (last visited June 15, 2012).

The powers at the disposal of the ICO are significant and include the power to bring criminal proceedings, non-criminal enforcement actions and to audit organizations. The Information Commissioner has also recently been given the power to serve a monetary penalty notice on a data controller. In full, the ICO’s enforcement powers are to:

• serve information notices requiring organizations to provide specified information within a certain time period;

• issue undertakings committing an organization to a particular course of action in order to improve its compliance;

• serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organizations to take (or refrain from taking) specified steps in order to ensure they comply with the law;

• conduct consensual assessments (audits) to check organizations are complying;

• serve assessment notices to conduct compulsory audits to assess whether organizations processing of personal data follows good practice;

• issue monetary penalty notices, requiring organizations to pay up to £500,000 (US$780,000) for serious breaches of the Data Protection Act; and

• prosecute those who commit criminal offences under the Act.

The penultimate power to issue monetary penalties is new, applying to breaches occurring on or after April 6, 2010. The ICO has been quick to use this power, issuing some 19 monetary penalty notices since the power was introduced (at the time of writing).

The biggest penalty to date has been imposed on a national health service hospital trust whose IT services contractor (operating under an expired service level agreement) allowed 1,000 hard drives to be handed over, without charge and without a written contract being entered into, to an individual for the purposes of being destroyed. A number of those hard drives were later sold on eBay. Four of the hard drives held information originating from a database in the HIV and Genito Urinary Medicine Department, including names, dates of birth, occupations, sexual preferences, STD test results and diagnoses for 67,642 patients in readable format. A second database consisted of the names and dates of birth of 1,527 HIV positive patients. As a result of a police investigation, it became clear that the individual concerned had sold at least 232 of the hard drives on eBay, all of which contained highly sensitive personal data of tens of thousands of patients and staff. The penalty imposed on the trust by the ICO was £325,000 (US $500,000). ³⁵Information Commissioner’s Office, Monetary Penalty Notice (28 May 2012) available at
http://bit.ly/MzXk1N. The NHS trust has stated that it will appeal the penalty.

The exercise of these new powers by the ICO is in many ways more Draconian than prosecution through the criminal courts, which previously was the ICO’s biggest stick. Although criminal prosecution and conviction may be more damaging to an organization’s reputation than a “monetary penalty,” the scale of fines imposed by the courts has always been comparatively low. In none of the eight prosecutions brought since June 2011 have the fines exceeded the equivalent of US $2,000 (although in some cases confiscation orders over the proceeds of crime, costs orders, and victim surcharges have significantly increased the overall financial impact on the defendants). ³⁶See Information Commissioner’s Office, Prosecutions, http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx#prosecutions (last visited June 15, 2012).

In the vast majority of cases, however, the ICO is able to achieve its ends by obtaining information from data processors and, if necessary, issuing undertaking to ensure compliance. It is perhaps a good example of a regulator using a carrot and stick approach. For example, the most recent example of an undertaking on the ICO’s website at the time of writing this article was an undertaking by Holroyd Howe Independent Ltd. to comply with the seventh data protection principle (namely that appropriate technical and organizational security measures must be taken to prevent unauthorized or unlawful processing, accidental loss of, or destruction or damage to personal data). ³⁷UK DPA, Schedule 1, available at http://www.legislation.gov.uk/ukpga/1998/29/schedule/1. This followed the inadvertent release of a document by Holroyd Howe Independent Ltd. containing details of employees’ pay to a former employee. In this case, because of the lack of adverse consequences and the quick remedial action taken by the data processor, the ICO considered that it was sufficient to use undertakings rather than enforcement action. On that basis, the data processor gave five undertakings:

(1) to make all staff aware of the data controller’s amended policy for the storage and use of personal data and are appropriately trained how to follow that policy;

(2) to take appropriate security measures to protect personal data sent by email; in particular, sensitive personal data shall not be transmitted by email across the internet unless encrypted to current standards;

(3) appropriately and regularly to monitor compliance with the data controller’s policies on data protection and IT security issues;

(4) to enter into formal contracts or agreements with any data processor the data controller selects to process personal data on its behalf, and to ensure that those contracts or agreements comply with the DPA; and

(5) to implement such other security measures as the data controller deems appropriate to ensure that personal data is protected against unauthorized and unlawful processing, accidental loss, destruction, and/or damage.

No doubt, had the data controller refused to give these undertakings, it could have been the subject of enforcement action, either through a monetary penalty notice or even through prosecution. The threat of that big stick was sufficient to persuade Holroyd Howe Independent Ltd. to take the carrot of undertaking to improve its policies and procedures.

Indeed, although there may be no evidence to back up any claims to this effect, “data protection” is frequently used in the U.K. as an excuse for keeping even the most basic information private. On many occasions there is in fact no legal reason for such modesty. The ICO has even gone as far as publishing lists of DPA “myths,” such as the myth that the DPA “prevents priests from naming sick parishioners during church prayers.” ³⁸Information Commissioner’s Office, Data Protection myths and realities, available at
http://bit.ly/3DyBSr. The fact remains that in the U.K., the threat of sanction by the ICO acts as a strong tool to stop companies from disclosing personal data.

Since the implementation of the Human Rights Act 1998 (HRA), by which the right to privacy contained in Article 8 of the European Convention on Human Rights has become enforceable in the U.K., celebrities and others have used the law, in the shape of the HRA and the DPA, to enforce privacy rights in the U.K. But, to date, those rights have related not so much to data breaches, but more to the invasion of privacy by “paparazzi” photographers and tabloid journalists.

The one exception to all of this is, of course, the large number of civil proceedings brought against News International following the phone hacking scandal. This is a story which has still not fully unfolded, and which has many aspects to it (including regulatory action by the U.K.'s communications regulator OFCOM, criminal proceedings and a number of public enquiries). But civil proceedings form a very significant part of the story. According to some press reports from December 2011, ³⁹Martin Hickman, Murdoch’s £100m plan to settle hacking cases before they get to court, The Independent, Dec. 29, 2011, available at
http://www.independent.co.uk/news/uk/crime/murdochs-100m-plan-to-settle-hacking-cases-before-they-get-to-court-6282554.html. News International has set up a legal fund of £100m (US $156m) to settle civil litigation actions brought by phone-hacking victims. And although it was reported in February 2012 that 60 cases against NI brought by hacking victims have already been settled, ⁴⁰Ben Fenton, Singer Church settles hacking case, Financial Times, Feb. 21, 2012, available at
http://www.ft.com/cms/s/0/3be0cc00-5cb4-11e1-8f1f-00144feabdc0.html#axzz1vsyknbKh. it is said that 800 people had voicemails intercepted, so there may be many more cases yet to come.

So the legal landscape around data breaches has developed rather differently in the U.K., when compared to the U.S. In the U.K., there has been a long history of strong regulation by a regulator that has used a variety of tools, and which now has more than ever. As in the U.S., in the U.K. civil proceedings have had little role to play, with the one exception of phone-hacking. Whether this opens the flood gates for similar claims in the future remains to be seen. In both countries, strong state regulators, with the ability to impose fines and, more significantly, compel conduct, represent the strongest enforcement and regulatory tool to prevent data security breaches and privacy violations.