Adding publicity to the recent string of security breaches, Gemalto’s Breach Level Index released information on October 9, 2018 stating that for the first half of 2018, approximately 291 records were stolen or exposed every single second. Gemalto estimates that 945 data breaches led to the release of 4.5 billion data records being compromised worldwide, which increased approximately 133% in the last year. These data breaches came from varying industries, with health care representing 27% of data breach incidents and the financial sector following with an estimated 14% of the data breach incidents. Of all the data and records stolen, it is estimated that just 1% of this data was encrypted and only 9% of the security breaches were the result of an accidental loss.
This information comes as more than just a P.S.A. Both threatened and actual data security breaches pose a significant legal threat to all types of businesses – large and small, global and local. Therefore, many forward thinking organizations are increasing their security systems and updating policies to mitigate potential legal claims for security breaches.
While the question of whether or not the fear of identity theft following a data breach is sufficient to constitute standing for a class action is largely undecided in the United States, the United Kingdom’s High Court already answered in the affirmative. More than 5000 current and former employees of Morrison’s, an online supermarket, are suing their former employer in a class action for damages related to a data leak that resulted in exposure to potential identity theft and financial losses. In 2014, a former Morrison’s employee leaked 100,000 names, addresses, bank account details and salaries of his co-workers online and sent it to a newspaper. While Morrison’s spent more than 2 million pounds to mitigate the effects of and remedy the breach, the issue of monetary damages that it may owe its former employees remains outstanding.
The Morrison’s matter was the first data leak class action in the United Kingdom. In 2017, the High Court ruled that Morrison’s was vicariously liable for this criminal data breach by its former employee and allowed those affected by the data breach to claim compensation for distress. Morrison’s is presently appealing this ruling.
No similar legal battle has yet played out so openly in the United States, as Target’s 2017 data breach resulted in a multi-million dollar settlement with the affected customers. However, with the ongoing and ever increasing number of cyber threats and attacks on both private and public organizations, it is expected that victims of data breaches may become the next wave of class action plaintiffs.