Civil Liability for Mass Data Loss: Lessons from the USA

December 9, 2009

In November 2009 the Information Commissioner’s Office (ICO) revealed that there have been over 700 ‘security breaches’ in the two years since the HMRC’s loss of 25 million child benefit records in 2007. 

What happened to HMRC is undoubtedly the best known of the many cases where organisations have suffered the loss or theft of large amounts of employee, customer, tax-payer, or other third-party data held on laptops, USB sticks or other portable media.  The portability of such data, the need to allow people access to it, its potential value to criminals (or just the value of the hardware containing it) and the simple fact that people make mistakes all mean that no organisation handling data can ever be sure that it will not suffer a similar loss.

What are the civil legal consequences for an organisation that mislays or suffers the theft of large amounts of customer or employee data?[1]  Can ‘victims’ (that is, the subjects of the data) successfully bring a claim for compensation in the civil courts? 

In the USA, a number of cases have been adjudicated on.  Since the American legal system is based on similar legal principles to the English, it is worth considering those cases to see whether the floodgates might one day be opened in the English courts. 

Tortious Liability at Common Law

The US cases can be divided into two categories depending on whether or not there is a contractual relationship between the parties. Very often, a person whose details are lost may not have a contractual relationship with the party that lost them.  In those circumstances, the victim may[2] have to argue that the party who lost the data owed a duty to him or her, that the party breached that duty, and that the party caused the victim a loss, thereby creating a legal liability in the tort of negligence.  Negligence has been claimed in several US cases, with varying degrees of success.

In Stollenwerk v TriWest Healthcare Alliance,[3] claims were brought in the federal courts by members of the US military.  TriWest was a contractor to the US government that managed a local region of the Department of Defense’s health insurance program.  It suffered a security breach at one of its facilities during which computer hard drives containing the claimants’ names, addresses, dates of birth and social security numbers were removed.  Some of the individuals whose information was compromised brought claims against TriWest in negligence for the loss of their sensitive personal information (as well as for other US specific torts and contractual and statutory claims).  Two of the claimants, Michael Stollenwerk and Andrea DeGatica, alleged that they suffered loss in the form of payments they had to pay for ‘credit monitoring services’ to protect themselves from potential identity theft.  A third, Mark Brandt, suffered actual identity theft when his personal information was subsequently used on six occasions to open or attempt to open unauthorised credit accounts, and more than $7,000 was charged to these accounts. 

The claims went through a number of stages.  First, TriWest successfully applied to have all of the claims dismissed, apart from the negligence claims and those based on statute.  The claimants subsequently amended their remaining claims but, following a further application by TriWest, all of those were also dismissed, with the exception of the negligence claims.

Following this second dismissal, TriWest applied for summary judgment on the remaining negligence actions.  TriWest argued that Stollenwerk and DeGatica (who had not been the victims of identity fraud) had failed to assert a viable claim for damages.  Specifically, TriWest argued that they had failed to prove that the cost of credit monitoring was an injury for which TriWest was liable in negligence.  It also argued that Brandt had failed to prove causation. 

The court compared cases involving exposure to toxic substances or unsafe products (where the cost of medical monitoring may constitute an actionable injury in the US) to the ‘exposure of confidential personal information.’  The court decided, however, that toxic tort cases ‘necessarily and directly involve human health and safety’ whereas ‘credit monitoring cases … do not.’  The court found that this public health interest provided the justification in toxic tort cases for the ‘departure from the general rule that enhanced future risk of injury cannot form the sole basis for a negligence action.’

Even if credit monitoring costs were sufficient injury to make TriWest liable in negligence, the court held that Stollenwerk and DeGatica did not have enough evidence to survive TriWest’s summary judgment application.  They had not done enough to put in issue (1) whether the personal information on the stolen computers was ever exposed to the thieves involved; (2) whether their risk of suffering identity fraud had significantly increased; and (3) whether credit monitoring would substantially reduce the risk of identity fraud.  Accordingly, Stollenwerk and DeGatica’s claims were dismissed.

The court then turned to TriWest’s assertion that Brandt had failed to provide enough evidence to show that the security breach caused the subsequent theft of his identity.  In order to avoid summary judgment, Brandt had to show that it was reasonably likely, not merely possible, that the defendant’s act or omission caused his loss, and that circumstantial evidence ‘must permit a jury[4] to draw reasonable inferences, not merely speculate or conjecture.’  Brandt produced evidence of six occasions after the burglary on which someone had attempted to open accounts in his name.  The court held that Brandt had nevertheless not produced enough evidence to survive summary judgment.  The court observed that ‘[s]tanding alone . . . Brandt’s evidence that the burglary preceded the incidents of identity fraud does not allow a reasonable jury to infer that the burglary caused the incidents of identity fraud.’

A second influential and much cited case is Forbes v Wells Fargo Bank,[5] where bank customers sued Wells Fargo after the theft of computers containing customers’ personal information.  Like two of the claimants in Stollenwerk, neither claimant in Forbes actually suffered identity theft, and there was no indication that the thieves intended to commit identity theft. Alleging negligence, among other claims, the claimants alleged that Wells Fargo negligently failed to protect the customer information. 

The court granted Wells Fargo’s summary judgment application, finding that the claimants failed to allege a sufficient present injury or reasonably certain future injury to qualify as damages.  First, the court held that the mere increased risk of future harm cannot form the basis of damages absent a ‘reasonably certain future harm.’  Second, the court held that mere time and money spent by claimants monitoring their credit is insufficient to establish damages, and that the money was merely spent based on the ‘anticipation of future injury that [had] not materialized.’  In summary, the court held that ‘perceived risk of future harm’ without a reasonably certain future harm could not comprise the injury element necessary for recovery under negligence. 

A third influential case, again finding no recoverable injury under negligence, is Kahle v Litton Loan Servicing LP.[6]  As in Forbes, the claimant sued following the theft of customer personal information, despite the absence of any identity theft or misuse of the claimant’s personal information.  Relying on the reasoning in Forbes, the court found that the claimant failed to show any present or imminent future harm, characterizing the claimant’s injury as ‘purely speculative’. The court emphasised the absence of any evidence that the thieves targeted the computers for personal information, as well as the absence of any evidence that the thieves could successfully access the information protected by several layers of password-protected security.  As in Forbes, the court found that mere speculative increased risk of identity theft and the cost of maintaining a credit monitoring service does not amount to a present or imminent future harm necessary to recover under negligence under US law.

Lastly, in Guin v Brazos Higher Education Service,[7] the claimant brought a number of claims against Brazos based on the theft of laptops stolen from an employee’s home office.  Guin’s claims were based in part on Brazos’ failure to comply with a duty of care imposed by statute regarding the protection and security of customer non-public personal information.  Guin also asserted a second claim in negligence, based on Brazos’ purported failure to comply with its own privacy policy.  The court granted Brazos’ application for summary judgment, holding that Guin failed to provide any evidence that Brazos (1) had failed to comply with the relevant statute, and (2) could reasonably foresee that its laptop would be stolen from the home office of its employee during the course of a burglary.  The court then noted that, had Guin been able to show a breach of duty to support his negligence claim, his claims still would have been dismissed because he had not alleged or shown that he had actually been the victim of identity theft or suffered financial loss as a result of Brazos’ data compromise.  Guin takes the approach that a mass security breach does not inherently result in a viable negligence claim.  Claimants must prove the existence of a duty of care, breach of that duty, causation, and appropriate accrued economic damages in every case.

While the Stollenwerk court initially appeared to provide hope to claimants seeking recovery under negligence by drawing an analogy with medical monitoring cases, numerous subsequent federal cases have demonstrated a clear trend toward requiring a present harm or imminent future harm.[8] 

Stollenwerk, Forbes, Kahle, and Guin are potentially significant for two reasons if followed by English courts.  First, they would effectively bar negligence claims by claimants whose personal information has been compromised, but who have not yet suffered identity theft or other tangible loss.  Because prudence demands that individuals whose information is compromised in this manner take affirmative steps to prevent identity theft, these cases may effectively prevent a large portion of the costs generated by information loss from being shifted onto the businesses that are themselves the primary victims of the information thieves. 

Secondly, these cases are potentially important because they raise a significant, though by no means insurmountable, hurdle for claimants who in every case must establish causation to recover damages, by requiring some evidence that the alleged wrongful acts caused a recognisable loss.  Mere evidence of a security breach and exposure of personal information followed by identity theft or other loss would be insufficient since such reasoning invokes the logical fallacy that simply because one thing happens after another, the first event caused the second.

If the reasoning in Stollenwerk, Forbes, Kahle and Guin was to be followed by English courts, it seems that this evidentiary requirement may prove fatal to many claims, given that most claimants will have provided their personal information to many different third parties. 

While a clear trend has emerged requiring plaintiffs to demonstrate present or imminent future risk of harm to recover under negligence, two other cases with different results warrant consideration.  In Bell v Michigan Council 25 of the American Federation of State, County, and Municipal Employees,[9] a group of emergency service operators suffered identity theft and sued their union alleging that their personal information had been compromised by the union’s treasurer.  The treasurer had frequently taken work records containing personal information of union members home with her.  Her daughter was later arrested for her participation in the appropriation of the service operators’ identities.  The daughter admitted involvement and was convicted, but denied taking any of the information from her mother.  In the subsequent civil claim, the criminal investigating officer testified that the prosecuting authorities had not conclusively established how the daughter acquired the lists.  At trial, the jury awarded the claimants $275,000 based on negligence. The union appealed.

On appeal, the union argued that the judge had been wrong to refuse its assertions (1) that the union did not owe the service operators a duty to protect them from the unforeseeable criminal acts of a third party, and (2) that no special relationship existed between the union and its members such that the union had a duty to protect its members from unforeseeable risks. 

The court noted that the relationship between the union and its members was one of trust in which the union was obliged to ‘act on behalf of, and in the best interests of,’ its members.  ‘It follows,’ the court continued, ‘that part and parcel of that relationship is a responsibility to safeguard members’ private information.’  The court also noted that ‘society has a right to expect that personal information divulged in confidence’ to a union would be guarded with ‘utmost care,’ and that the union was in the best position to protect its members because it controlled access to its membership lists.  Moreover, the court noted that the risk of harm resulting from misuse of the service operators’ personal information was foreseeable.  The court recounted evidence that the union’s board members were aware that the treasurer frequently took lists containing members’ personal information home with her, and had discussed the risks of this activity on several occasions.  The court found that the severity of the risk created by this activity was high given the increasing prevalence of identity theft, and that the ‘commonplace’ nature of identity theft made the risk of loss from criminal acts foreseeable.  In addition, the court observed that the ‘burden on [the union] in terms of securing its members’ information is not great,’ and that despite this fact, ‘the union had absolutely no procedures or safeguards in place to ensure that confidential information was not accessed by unauthorized persons.’

Based on its consideration of these factors, the court concluded that a special relationship existed between the union and its members such that the union owed the claimants ‘a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information.’  The court was careful to limit the scope of its decision, however, noting that it did not intend it ‘to be construed as imposing a duty in every case where a third party has obtained identifying information and subsequently uses that information to commit the crime of identity theft.’  Instead, the court limited its judgment ‘to the facts of this case where defendant knew confidential information was leaving its premises and no procedures were in place to ensure the security of the information.’

In Daly v Metropolitan Life Insurance Co.,[10] a New York court refused the defendant’s application for summary judgment to dismiss a claim that the company negligently allowed workers at its office access to the claimant’s personal information and thereby enabled the workers to steal her identity.  Daly had completed a life insurance application which required her to provide personal information, including her name, date of birth, driver’s licence number, and social security number.  On receipt of the application, Met-Life sent her a copy of its privacy policy outlining their efforts to safeguard such personal information.  Met-Life later unintentionally allowed staff access to Daly’s personal information.  The staff members used Daly’s information to commit identity theft by establishing and using numerous credit card accounts in her name.  Following discovery of the identity theft, Daly sued Met-Life alleging negligence.  Met-Life applied for summary judgment, arguing that Daly could not establish negligence, damages, or foreseeability.

The court rejected Met-Life’s arguments and refused summary judgment, allowing the case to proceed to a full trial.  The court found that Daly had provided sensitive personal information to Met-Life relying on its promise that it would safeguard her information.  The court observed that Daly’s claim was ‘similar to those seen in causes of action for breach of fiduciary duty of confidentiality.’  The court found this duty of confidentiality arose from an implied covenant of trust and confidence, and that such a covenant could be inferred in business dealings where one party placed trust and confidence in another to exercise discretionary functions for the other party’s benefit.  The court noted that ‘[w]hile this concept has never before been applied to issues surrounding the protection of confidential personal information, perhaps in the absence of appropriate legislative action, it should.’  The court concluded that Met-Life had a duty to protect the confidential personal information provided by the claimant.  Implicit in Daly’s agreement to supply Met-Life with highly sensitive personal information was a covenant to safeguard this information.

The court did not, however, decide whether Daly had adequately established damages, and whether liability in negligence could be predicated on the criminal acts of third parties.

Both Bell and Daly should give pause for thought to businesses that collect personal information from their customers or staff.  Although ostensibly limited to its facts, Bell provides that a business that knows confidential information in its possession is being exposed to potential loss or theft must take remedial actions to prevent such loss or theft, or else risk tort liability if the information is compromised and some harm ensues.  This reasoning assumes that the risk of identity theft is pervasive, and that the risk is common knowledge such that businesses in possession of sensitive personal information have a duty to take precautions to mitigate known security risks. 

Daly reaches beyond the limited outcome in Bell and assigns to businesses in possession of sensitive personal information a quasi-fiduciary duty to safeguard such information against loss.  Notably, the court in Daly did not engage in an extensive discussion of facts giving rise to an awareness on the part of Met-Life of a significant risk to Daly’s information, nor did it opine about the lack of security measures in place.  Rather, the court’s finding of negligence was seemingly predicated solely on the fact that the information was compromised.

Contractual liability

Not all data loss cases heard by US courts have been in non-contractual situations based on negligence.  In Kuhn v Capital One Financial Corp.,[11] a Massachusetts court heard an application for summary judgment seeking to dispose of a claim alleging breach of contract (as well as breach of an implied covenant of good faith and fair dealing, negligence, misrepresentation, breach of fiduciary duty, and invasion of privacy).  These claims were brought after an unidentified computer hacker broke into the web site server of a merchant that accepted payment via Capital One Visa and gained access to Kuhn’s Capital One Visa card information.  On that same day, Capital One contacted Kuhn and informed her that it had shut down her account, and that no further action was necessary on her part.  Capital One also sent Kuhn a letter to the same effect.  Within days of the hacking incident, approximately 18 fraudulent accounts were opened in Kuhn’s name and $25,000 was wrongfully charged.  Kuhn sued Capital One, and Capital One subsequently applied for summary judgment to dismiss all claims. 

On the breach of contract claim, the court found that Kuhn’s relationship with Capital One was governed by Capital One’s Privacy Notice and Customer Agreement, which provided that ‘we [Capital One] can take steps to protect you from identity theft, fraud, and unauthorized access to personal information about you.’  Kuhn argued that this provision obliged Capital One to inform her that she needed to contact credit reporting agencies and place a fraud alert on her account in order to prevent identity theft.  But the court found that this obligation came from a section of the contract titled ‘Why we may collect and share information,’ indicating that the provision was not a guarantee against illicit use so much as an invitation to share information.  The court also observed that the Privacy Notice contained a link to Capital One’s web site for those who wanted to learn more about the policy.  Noting that this information put Kuhn on notice that the written Privacy Notice was not the only source of information about the policy, the court found that the web site contained the very exhortations that Kuhn claimed Capital One had failed to provide.  The court then observed that the Customer Agreement contained no guarantees against illicit use in the event of a lost or stolen card, and limited Kuhn’s liability for wrongful charges to $50 — a term that Capital One had honoured by not holding Kuhn personally liable for the fraudulent charges to her account. 

Based on these findings, the court granted Capital One’s application for summary judgment and dismissed Kuhn’s contract claim.  (The court likewise rejected Kuhn’s claim for breach of an implied covenant of good faith and fair dealing on grounds that Capital One had fulfilled its contractual obligations by notifying her of the breach and deactivating her account.)

Kuhn appealed the summary judgment decision and, on appeal, the decision was reversed, largely in reliance on evidence from Kuhn that at least one Capital One employee had told her that the security breach had occurred at Capital One.[12]  In doing so, however, the court acknowledged that Kuhn’s assertion ‘may only provide the plaintiff a toehold, which may very well disappear through later discovery.’

Kuhn highlights the importance of conveying accurate information to consumers whose personal information is compromised.  Businesses that experience breaches and determine that they are required to notify those in question,[13] or decide that they should do so, must not only concern themselves with notifying affected consumers, but also with accurately notifying consumers about appropriate steps to take.  It would be a sad irony for a business to take positive steps to notify a customer, only then to be held liable in misrepresentation for negligently conveying incorrect information that causes the consumer additional loss.

In Jones v Commerce Bancorp,[14] the claimant alleged negligence, breach of fiduciary duty, intentional and negligent infliction of emotional distress, commercial bad faith and breach of contract.  In May 2005, several Commerce employees were arrested for the theft of large amounts of confidential information from the company’s databases.  On 22 May 2005, Jones learned that funds were missing from her bank account and that a separate, fraudulent account had been opened in her name.  Commerce eventually credited the fraudulently withdrawn funds back to Jones’ account.  The court granted Commerce’s application to dismiss the commercial bad faith, consumer fraud, and infliction of emotional distress claims, but found that Jones had successfully pleaded claims for negligence, breach of fiduciary duty, and breach of contract.

In upholding the right to pursue the negligence claim, the court relied on Jones’ allegations that Commerce knew of the fraudulent activity within its branch network and failed to stop it.  In refusing to dismiss Jones’ claim for breach of fiduciary duty, the court reasoned that, given that Jones was required to submit confidential data to Commerce and that Commerce’s ‘Booklet with Deposit Rules, Regulations, Disclosures and Privacy Notice’ represented that such data was protected by a variety of measures,  ‘plaintiff was entitled to rely on Commerce’s superior expertise to safeguard her personal confidential information.’

Jones characterised Commerce’s booklet as a contract and alleged that it was breached when Commerce allowed unauthorized withdrawals from her account.  Commerce did not challenge Jones’ interpretation of the booklet as a contract but rather claimed that, since it replaced the fraudulently withdrawn funds, no damages resulted from any breach.  The court disagreed, reasoning that ‘[p]laintiff may be able to prove some (albeit minimal) damages stemming from her inability to access her funds for several weeks prior to their restoration by Commerce.’

Jones is noteworthy for two reasons. First its reasoning suggests that booklets and similar literature describing security policies can be construed as a contractual document between the institutions promulgating them and victims of identity theft.  Secondly, Jones serves as a reminder that the inability to access funds for a short period of time due to identity theft could give rise to damages in a claim for breach of contract.

Lastly, in Hendricks v DSW Shoe Warehouse, Inc., the claimant sued DSW based on its consumer data security breach.[15]  Her claims were based on her fear of becoming a victim of identity theft and the costs of credit monitoring services.  The court granted DSW’s application to dismiss on the grounds that the claimant had not suffered a legally recognisable injury.  Because the claimant had not been the victim of actual identity theft, she had no recognisable damages.  There was no relevant statute, nor any judicial precedent, to support Hendricks’ assertion that the purchase of credit monitoring constituted either actual damages or a recognisable loss.

As discussed above, because the general concern most often associated with a mass data breach is identity theft, many claimants in the US have advanced legal theories that depend on a damage claim arising from the fear or risk of future identity theft.  Hendricks, as well as the cases discussed in the previous section, indicate that these claims based on a future risk of injury are on very shaky ground.  The clear trend in the US is that plaintiffs must show actual identity theft or the presence of unauthorised charges to recover on claims based on a mass data breach.  The same should apply in England. 

Statutory protection in England – the Data Protection Act 1998

One difference between some US states and England is that in the UK victims of data loss may be able to bring claims on the basis of rights given to them by statute, without needing to prove that they were owed a duty of care or were in a contractual relationship with the defendant.

The UK statutory scheme relates to all aspects of ‘data’.  The Data Protection Act 1998 protects ‘personal data’ and ‘sensitive personal data.’  These are defined so that the sort of customer/employee data lost by organisations will normally be covered by the DPA, provided the claimants are natural persons.[16]  Section 13 provides that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation.  And in certain limited circumstances an individual who suffers distress by reason of any such contravention is also entitled to compensation for that distress.[17]  It is a total defence for a data controller to prove it ‘had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.’[18]

One of the requirements of the DPA is that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’[19]  Also, ‘[h]aving regard to the state of technological development and the cost of implementing any measures, [those] measures must ensure a level of security appropriate to (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected.’[20]

Thus, in the majority of data loss cases, the DPA will apply and any victim will automatically have a right to bring a claim for damages without needing to (1) prove a separate duty of care owed by the defendant, or (2) demonstrate a contractual relationship.  But there will still be a need to prove a failure to take appropriate technical and organisational measures since the data controller will be able to avoid liability if it can demonstrate that it took reasonable care.  In other words, the simple fact of a data breach does not, of itself, make the data processor liable to pay damages under the DPA.

What is more, the ‘victim’ will still have to show that he or she suffered a recoverable loss.  As the DPA states, compensation is only recoverable by someone who ‘suffers damage’.  In Johnson v Medical Defence Union Ltd (No 2),[21] the Court of Appeal said that there was no compelling reason to find that the word ‘damage’ in the Act had to go beyond its root meaning of pecuniary loss, and the EU legislation that gave rise to the DPA did not require compensation to be available for every type of loss.  Claimants must prove a legally recognised pecuniary loss in the same way as if the claim were brought in negligence or for breach of contract.[22] 

The DPA does not impose any other obligations or provide any other rights that relate to the victims of data security breaches.  This is perhaps because the DPA was enacted before mass data losses became widespread and indeed before the global spread of laptops and memory sticks.  That vacuum has been filled in part by the ICO, which has published a ‘good practice note’ on data security breach management.[23]  This note does not have any legal force in itself, but is intended by the ICO to assist organisations in deciding on an appropriate course of action if a breach occurs.  The note suggests organisations undertake a plan with four stages, namely (1) containment and recovery, (2) assessment of ongoing risk, (3) notification of breach and (4) evaluation and response.

Conclusion

What can be drawn from these US cases?  Since the US court system is generally perceived as being more claimant friendly than the English system, the comparative lack of success by US claimants is notable.  If nothing else, these cases demonstrate very clearly that the simple fact that confidential personal data has been lost will not necessarily lead to compensation.

Cases like Stollenwerk, Forbes, Kahle, and Guin show that to claim damages successfully, claimants must show that they have truly suffered a financial loss – normally as a result of identity theft or, perhaps, following Jones, following from an inability to access their money. 

Worse still for claimants, even if they have been the victims of identity fraud following a data loss and have lost money as a result of that fraud, they may still not be able to bring a successful court action.  Claimants in the US and England bear the burden of proving their cases and, as cases like Brandt and Kuhn demonstrate, the fact that a fraud happens after a data loss does not mean that the data loss caused the fraud.  In the modern world where most people’s personal details are held by government departments, banks, credit card companies, employers, e-commerce websites and the local pizza delivery company, how often will a court be persuaded that the defendant caused the claimant’s loss?

On the other hand, defendants will be most concerned by the willingness of some courts (Bell, Daly, Jones) to impose special duties of care when personal information is given to third parties, over and above the normal duties owed by commercial counterparties.  With these duties come increased responsibilities and thus a greater likelihood of legal responsibility.  No doubt English courts would be asked to impose similar raised standards were a claim for mass data loss to be brought here.

Of course, it should never be forgotten that irrespective of the niceties of the law, the threat of legal proceedings – bad publicity and the risk of an adverse court ruling – will be enough for some organisations to decide they have no option but to settle claims following a mass data loss.  In a dramatic example of this, in January 2009 the US Veteran Affairs Department agreed to pay $20 million to veterans following the loss of a laptop and external hard drive containing personal details of up to 26.5 million veterans and troops,[24] despite the fact that the laptop was recovered intact. Much of the criticism was directed not at the loss itself, but rather from the fact that there was no admission of the loss to veterans for three weeks following the theft.  As ever, careful handling of customers and the media following an incident such as a mass data loss, with due consideration of public relations issues as well as legal obligations, may have a significant impact on the final outcome.

Finally, so far as ‘statutory rights’ are concerned, it seems that there is little additional protection for victims.  Although s. 13 of the DPA gives most data loss victims the right to go to court, they must still show a failure to take appropriate technical and organisational measures.  Section 13 will not relieve claimants of their obligation to prove a loss caused by the defendant.

It seems that the floodgates are far from open, and if the US experience is anything to go by, there will be little pressure on them for the foreseeable future.

Robin Preston-Jones is a Solicitor at Baker Botts (UK) LLP. Parts of this article are taken from an earlier article written by Chad Pinson, a partner in the Dallas office of Baker Botts, first published in the Technology Journal of the Southern Methodist University in Dallas, Texas.  The author was also assisted by Paul Russell, a Dallas based associate in Baker Botts LLP.



[1]               If such an organisation has outsourced some responsibility for the handling of that data to a third party, issues will arise as to the liability of the third party for losses suffered by the organisation. This article does not address those issues.

[2]               Although see the section below on statutory protection.

[3]               No. 03-0185PHXSRB, 2005 WL 2465906 (D. Ariz. Sept. 6, 2005).

[4]               Civil claims in the USA. are generally heard in front of a judge and jury, unlike in England.

[5]               420 F. Supp. 2d 1018 (D. Minn. 2006).

[6]               486 F. Supp. 2d 705 (S.D. Ohio 20007).

[7]               No. 05-668 RHK/JSM, 2006 WL 288483 (D. Minn. Feb. 7, 2006).

[8] See, e.g., Piscotta v Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); In re Hannaford Bros. Co., 613 F. Supp. 2d 108 (D. Me. 2009); Caudle v Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008). 

[9]               No. 246684, 2005 WL 356306 (Mich. Ct. App. Feb. 15, 2005).

[10]             782 N.Y.S. 2d 530 (N.Y. Sup. Ct. 2004).

[11]             No. CA015177, 2004 WL 3090707 (Mass. Super. Ct. Nov. 30, 2004).

[12]             Kuhn v Capital One Fin. Corp., No. 05-P-810, 2006 WL 3007931 (Mass. App. Ct. Oct. 23, 2006).

[13]             As to the requirement to notify a data loss in England, see the section on statutory protection, below.

[14]             No. 06 Civ. 835(HB), 2006 WL 1409492 (S.D.N.Y. May 23, 2006).

[15]             444 F. Supp. 2d 775 (W.D. Mich. 2006).

[16]             ‘Data’ is defined as information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should be processed by means of such equipment; (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record; or (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

                ‘Personal data’ means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Data Protection Act, 1998, c. 29, § 1.

[17]                    Provided they also suffer other recoverable damage, or if the contravention relates to the processing of personal data for the ‘special purposes’ of journalism or artistic/literary purposes.  § 13(1) and (2).

[18]             § 13(3).

[19]             Sched. 1, Part 1.

[20]             Sched. 1, Part 2.

[21]             [2008] Bus. L.R. 503.

[22]             The only exception to this position is where there is a claim for distress in the circumstances set out above.

[23]             Information Commissioner’s Office, Guidance on Data Security Breach Management, http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/
guidance_on_data_security_breach_management.pdf (last visited Nov. 23, 2009).

[24]             A comparable number to the 25 million victims of HMRC’s loss of child benefit records, which similarly was not reported to the public until four weeks later on 20 November.  It is understood that none of the HMRC’s victims subsequently received compensation.