USA data breach class actions are commonplace. However, the increasing use of class action type Court procedures combined with hungry third party litigation funders means that similar claims are now on the increase on this side of the Atlantic. Andrew Jones and James Hughes look at the relevant Court procedures and the data breach class actions making their way through the English courts. Businesses and their cyber insurers should take note – we are poised for a material increase in these types of claims.

Class action procedures in the UK

'Class actions' or group litigation enable claimants with similar claims to group together and bring actions collectively against the same defendant(s). There are two main forms of group litigation in England and Wales available for collective data breach litigation:

1) Group Litigation Orders; and

2) Representative Actions.

1) Group Litigation Order ("GLO")

A GLO is an order by the Court made under CPR 19.11 to provide for the collective management of numerous claims that give rise to "common or related issues of fact or law". It should be borne in mind that each claim remains substantively separate and the GLO is only a mechanism to manage all those individual claims together for reasons of efficiency. Each claimant pleads individual facts and any damages payable are tailored accordingly. One of the best known GLOs was the RBS Rights Issue Litigation for securities related claims against RBS and its former directors in respect of the £12bn rights issue where the various claimant groups recovered over £800m in damages.

GLOs operate on an "opt-in" basis, whereby claimants are not included in the action unless they take positive steps to join by entering details of their claim into a "Group Register" which is established once the GLO has been made. The proposed claim is usually advertised to alert potential claimants and (for efficient case management) the Court will often direct a cut-off date after which claimants cannot be entered onto the Group Register without the court's permission. If the limitation period has not expired, claimants may still be able to issue their own individual claims later outside of the GLO.

The rules allow a single Claim Form to be used and usually the Court will order the filing of group Particulars of Claim containing general allegations as well as a separate schedule setting out the facts relied upon and the specifics of damage suffered for each claimant. Up until the point that individual issues need to be determined, the defendant may only need to plead a defence to the group Particulars of Claim. Depending on the Court's view as to how to manage the litigation best, there may then be determination of preliminary issues and/or a trial of the lead or test claims in order to best deal with all the issues being contested. At that point, the defendant may well need to plead a defence in respect of more specific issues that arise in those particular claims. Any judgment on a GLO issue will be binding on all other claims on the Group Register.

Specific GLO costs rules apply which ring-fence a claimant's costs liability and do not leave it exposed to all the defendant's costs. Each claimant is only liable for a several share of the common costs of pursuing the GLO and a several and equal share of any costs awarded to the defendant if the claim does not succeed.

HM Courts & Tribunals Service figures indicate that since their introduction in 2000 only 108 GLOs have been issued.

2) Representative Actions

Representative Actions under CPR 19.6 are an alternative procedure to GLOs and may be made by numerous claimants who have the "same interest" in a claim i.e. they must all have a common grievance and the relief sought must be the same for all claimants. The claim is brought by a representative of all of the claimants who prosecutes the action on both their behalf and on behalf of the entire class. There is no need to list the class members but it must be possible to say of any particular person whether or not they qualify for membership of the represented class by virtue of them having "the same interest". Any judgment or order given is binding on all class members represented.

Unlike GLOs and more like their American equivalents, Representative Actions are "opt-out" and so all persons falling into the represented class form part of the litigation unless they take positive steps to remove themselves.

The Representative Action "same interest" requirements are a more restrictive test than the test of "common or related issues of fact or law" for GLOs. In addition, the Court has a wide discretion to permit (or not) such claims to proceed which in part explains why such class actions are not as prevalent here as in the USA.

Funding of class actions

In England and Wales, it is permissible for a funder, subject to certain restrictions, to fund litigation in return for a share of the proceeds received by a party. Litigation funding has developed substantially in recent years and class actions represent a potentially lucrative area for funders.

While CFAs and other funding routes are potentially available, the reality is that these types of class actions are unlikely to proceed without third party litigation funders. ATE insurance policies are also usually obtained to meet the costs of a successful defendant.

Class actions and causes of action for data breaches

The common issues and interests involved in mass data breaches (where the data of a large number of data subjects is compromised simultaneously, often via a cyber-attack), therefore potentially lend themselves well to class actions, either via GLOs or Representative Actions depending on which procedure is best suited to the key liability and damage issues in play.

For post-25 May 2018 data breaches, Article 82 of the General Data Protection Regulation ("GDPR") (given effect in England and Wales by s.168 Data Protection Act ("DPA") 2018), provides a right to claim compensation for individuals who have suffered "material or non-material damage" as a result of infringement of the GDPR. "Non-material damage" specifically includes "distress". Recital 85 to the GDPR lists "loss of control" over personal data as another example of the kind of damage that might be caused as a result of a data breach.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.