On 10 November 2021, the Supreme Court issued its ruling in the long-running personal data protection case of Lloyd vs Google. The claimant’s case was rejected by the court. However, if it had been successful, it could have seen pay-outs totalling billions.
Lloyd v Google

The case relates to events in 2011-2012 when it is alleged that Google secretly tracked the internet activity of Apple iPhone users, and used it for commercial purposes. The claimant, Richard Lloyd, had sought to bring the claim on behalf of all England and Wales residents who owned an iPhone at the time (over 4 million people). The compensation figure floated was £750 per user, even though they suffered no monetary loss.

Within the judgement, the judge said the case had a “real chance of success”1 if pursued by the claimant as an individual, instead of as a mass action. Whilst the risk of a class action might have waned, the risk of litigation by individuals who have had their privacy breached still remains very high and, arguably, since the case, this risk may have increased. Perhaps unsurprisingly, there has been an uptick in solicitors, social media and TV programmes, advising consumers of their rights.

Any organisation collecting individual/personal data for their business has a statutory duty to keep the data safe—even if the data ends up being released by malicious means, such as a rogue employee, or ransom attacks that threaten to release data onto the dark web. The first quarter of 2020 was one of the worst in data breach history, with over 8 billion records exposed—and this number is growing.2 Data breaches can hurt both the individual and the company. An increase in scam emails, text messages and calls that can seemingly appear legitimate are all playing their part in heightening the risk of data breaches for victims. The impact to an organisation can be anything from negative PR to substantial costs, and even a reduction in income from users unwilling to trust a business that can’t keep their personal data safe.

In the event of a data breach or ransom demand, UK businesses have a regulatory requirement to report to the Information Commissioner’s Office (ICO) and advise any individuals that their privacy has been compromised. We have seen from several high-profile losses in the last year that solicitors are not slow in coming forward to offer their services. We’ve seen examples of compensation from £300 to £750 for an individual loss of data—which could produce a compensation bill of £1 million+ for a small 2,000-person data breach. And that’s just the compensation—before any legal costs, defence costs, IT security costs and regulatory costs are realised.

Like many circumstances, the above risks can be insured. However, cyber insurance is a specialist cover that needs support in placing from a broker such as Gallagher who has expertise in this area. We can guide and support your process in obtaining cyber insurance in a difficult market, as well as advice and support in improving your systems—not only to allow you to obtain cover, but also to improve and secure your systems to help protect against the breach in the first place.

  1. Supreme Court blocks mass iPhone claim against Google, https://www.bbc.co.uk/news/technology-59221037
  2. All Data Breaches in 2019-2021—An Alarming Timeline, https://selfkey.org/data-breaches-in-2019/

Further sources:

The sole purpose of this bulletin is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.