Civil litigation risks following data breaches



The rise in incidents of significant breaches of personal information has also given rise to recourse to the courts for civil remedies.

In the United States, companies that have experienced data breaches often face consumer class action lawsuits shortly after the breach. Common claims in such lawsuits are that the company violated state unfair business practices laws, breached a contract, was negligent, or is subject to liability for a privacy tort (such as intrusion upon seclusion or public disclosure of private facts). A recent 2013 US Supreme Court decision (Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013)) has made it more difficult for plaintiffs to file breach-related suits in federal courts when class members have not yet suffered monetary losses or when an injury is not ‘certainly impending’, but the decision does not seem to have discouraged plaintiffs.

Lawsuits in the US continue, and companies often settle breach cases to avoid engaging in costly litigation and to give finality to an unfortunate event. Settlement amounts vary wildly and are affected by the size of the breach, the sensitivity of data involved in the breach and the type of harm that class members allege, among other factors. On the high end, one corporate breach led to a $10m settlement, but many examples of six- and seven-figure settlements exist as well.

In addition to civil lawsuits brought by consumers, companies that have suffered breaches involving payment card data may face lawsuits from businesses. For example, payment card issuers may sue to recover costs related to handling fraudulent charges and reissuing cards to affected consumers. Payment card brands may also seek to impose significant fines on merchants, based on the view that a payment card breach is evidence of noncompliance with the card brands’ cyber security rules. Directors and officers of a company that has experienced a breach may also face derivative lawsuits from shareholders.

Data breaches may also prompt US regulatory scrutiny and enforcement. For instance, recently the Federal Trade Commission brought an enforcement action alleging inadequate data security practices against a global hotel chain after it revealed that hackers breached its network. The FTC has brought dozens of such enforcement actions. Another federal agency, the Department of Health & Human Services, has recently obtained numerous six- and seven-digit settlements in breaches involving medical information.

Drawing on US law, beginning in 2012, various Canadian common law courts have adopted the doctrine of ‘intrusion upon seclusion’ as a tort to ground civil liability (Jones v. Tsige, 2012 ONCA 32). Since then, class action suits have routinely followed data breaches against governments, hospitals and retailers. Over 20 privacy class actions have been filed in Canadian courts in recent years, some giving rise to settlements involving claims processes for class members. Class action suits have also been filed challenging business practices making use of personal information without express consent.

Although Canadian courts have not recognised a generalised negligent breach of privacy, and the tort of intrusion upon seclusion requires intentional and reckless conduct, without legal justification, giving rise to a ‘highly offensive’ intrusion into a person’s privacy, this has not tempered the launch of class actions. Notably, proof of actual economic loss is not necessary to sustain a claim for intrusion upon seclusion.

Various federal and provincial statutes in Canada also provide for a civil right of action for privacy breaches, but the cost of individual litigation claims relative to modest damage awards suggests that class actions will be the primary focus of civil remedies in Canada. Modest individual damages aggregated over a class of thousands, or even millions of individuals in the mega breaches, makes the pursuit of civil remedies a more enticing option.

This recent trend of permitting privacy claims, even where no financial loss has occurred, does not appear to be limited to North America but has made it way to the UK. A recent judgment of the English Court of Appeal could significantly broaden the circumstances in which data protection litigation can be brought – and damages can be awarded – under English law.

Vidal-Hall et al v Google, [2015] EWCA Civ 311 involves claims brought by three individual claimants. The claimants allege that Google collected private information about their internet usage via their web browser, without their knowledge or consent. This information was then used to target certain advertisements at the claimants, which were shown on the claimants’ computer screens. The claimants allege that this constitutes a misuse of private information, in respect of which they should be entitled to damages, despite them having suffered no pecuniary loss.

While the judgment itself concerned an issue of procedure regarding service out of the jurisdiction, in reaching its decision, the Court of Appeal confirmed two matters which could be of significant importance to the scope of English data protection law.

First, the judgment recognised that the misuse of private information should be recognised as a tort under English law. This effectively confirms that the claimants (and potential claimants in future cases) have a cause of action to pursue in the English Courts when their private information has been misused. English law has traditionally been reluctant to recognise tortious liability of this nature, but this judgment may indicate that the judiciary’s attitude is changing.

Second, the judgment made important findings on the damages to which claimants may be entitled in cases of this nature. Under s. 13 of the Data Protection Act 1998, individuals who suffer ‘damage’ by reason of any contravention, by a data controller, of any of the requirements of the Data Protection Act are entitled to compensation from the data controller for that damage. To date, pecuniary loss has been a prerequisite for ‘damage’ to be established. However, the Court held that the scope of ‘damage’ under the Act should be interpreted as including types of loss such as emotional distress resulting from the misuse of private information, without having to first establish that pecuniary loss had been suffered by a claimant.

While the substance of the claims in Vidal-Hall remains to be heard, the progress of the case will be keenly watched by many. However, the landscape of English data protection law may have already been significantly altered.

These litigation developments suggest companies facing a data breach must not only confront reputational and business disruption implications but also civil liability risks. For global enterprises, these civil liability risks transcend multiple jurisdictions.


Ffion Flockhart and Steve Tenai are partners, and Andrew L. Hoffman is an associate, at Norton Rose Fulbright. Ms Flockhart can be contacted on +44 (0)20 7444 2545 or by email: Mr Tenai can be contacted on +1 (416) 216 4023 or by email: Mr Hoffman can be contacted on +1 (212) 318 3164 or by email:

© Financier Worldwide


Ffion Flockhart, Steve Tenai and Andrew L. Hoffman

Norton Rose Fulbright

©2001-2019 Financier Worldwide Ltd. All rights reserved.