General Data Protection Regulation (GDPR) , Governance & Risk Management , Legislation & Litigation
GDPR: Data Breach Class Action Lawsuits Come to EuropeAttorney Jonathan Armstrong Says These Suits More Likely to Succeed Than in US
Breached businesses in Europe: Brace for more class action data breach lawsuits.
"Class actions are here to stay for data breaches," says attorney Jonathan Armstrong, who's a partner at London-based Cordery.
"They're more likely to succeed here than in the U.S., albeit with the caveat that their numbers will be smaller," he says in an interview with Information Security Media Group. That's because at least so far, most European class action lawsuits have required victims to opt in, compared to the U.S. model of having to opt out.
The first U.K. lawsuit sparked by a data breach involved U.K. food-retailing giant Morrisons. Staff filed the lawsuit after an employee - senior internal auditor Andrew Skelton - in 2014 stole and leaked personal information, including salaries and bank details, for nearly 100,000 employees. In 2015, Skelton was sentenced to serve eight years in prison. While the breach case is still working its way through the courts, Armstrong says it could set a precedent that applies to older breaches.
Since May 25, however, European data protection authorities have been enforcing the EU's General Data Protection Regulation, which gives breach victims the right to seek two types of compensation. "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered," GDPR states.
Earlier this month, British Airways was threatened with a £500 million ($650 million) class-action lawsuit in U.K. court after it warned that a hacker had stolen payment card data associated with 380,000 transactions, in one of the worst breaches to ever come to light in the country (see British Airways Faces Class-Action Lawsuit Over Data Breach).
The British Airways breach followed other big breaches at British brand-name retailers, including Carphone Warehouse and Superdrug Stores and Ticketmaster (see Europe Catches GDPR Breach Notification Fever).
As more EU breaches come to light, Armstrong expects to see a commensurate rise in European class-action lawsuits filed in response.
"Things are changing," although GDPR isn't the only reason, he says. "It's partly GDPR, and with the Britsh Airways breach specifically and Carphone Warehouse similarly, there are other regulations as well" that have been leading organizations to alert authorities - and often then victims - about breaches.
In this audio interview (click on player beneath image to listen), Armstrong discusses:
- How GDPR and other regulations continue to increase Europe's knowledge about data breach landscape;
- Why Europe can expect to see more class action lawsuits sparked by data breaches and leaks;
- Why British Airway's previous promise that online shopping was "safe" might pose legal problems for the airline.
Armstrong is an experienced lawyer with a concentration on technology, risk and compliance. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Armstrong is a co-author of the LexisNexis technology law publication, "Managing Risk: Technology & Communications."