While cyber-attacks on healthcare organisations and financial institutions have become commonplace, a recent trend of attacks on professional services firms is particularly concerning. As well as holding personal data, such firms are likely to hold valuable confidential and privileged commercial information belonging to clients. This article discusses the possibility that clients may rely on data protection law in formulating claims against professionals seeking damage for loss of commercial data following a cyber-attack.
The following hypothetical situation is all too easy to imagine. A law firm has a wealthy private client who instructs it to advise on a potential multi-million-pound investment opportunity. The firm holds the client’s personal data (for example, his name, date of birth, address, email address, telephone number and bank account details) but also documents relating to the proposed investment. The firm’s IT security is of a reasonably high standard, but it is not state of the art; more robust IT security could have been installed. In a cyber-attack, sophisticated hackers penetrate the IT security and exfiltrate the client information – that is, both the personal data and the information relating to the investment opportunity (commercial information). The theft of the commercial information leads to the collapse of the investment opportunity, causing the client significant losses.
The client wishes to recoup those losses in a damages claim against the professional. The obvious avenue would be a professional negligence claim, that is to say a contractual claim based on breach of an implied term in the firm’s retainer that it owed him a duty of reasonable skill and care in the performance of professional services, including to safeguard confidential information. But the firm’s answer to that allegation is that its IT security, being of a reasonably high standard, complied with that duty. Can the client circumvent that argument by reliance on the General Data Protection Regulation (GDPR), arguing either: (1) that under the retainer the firm owed him the same, higher duty to protect his commercial data as the firm, as data controller, owed him, as data subject, in relation to his personal data; and/or (2) that, leaving aside the retainer, the client can recover damages under the UK GDPR in relation to the loss of commercial information?
Argument (1): GPDR standard of care implied into the retainer
The GDPR, which came into effect in May 2018 (and by extension the UK GDPR), is still quite recent. There is little case law or guidance on the standard required of data controllers in relation to the duty to adopt appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
However, by a comparison of the UK GDPR and the Data Protection Act 2018 (DPA 2018) with their predecessor, the Data Protection Act 1998 (DPA 1998), it appears that the UK GDPR and DPA 2018 require a higher standard in relation to data security than merely to exercise reasonable care. Under section 13(3) of the DPA 1998, the data controller had a defence if it could show that it had exercised ‘such care as in all the circumstances was reasonably required’ to comply with the requirement concerned; in other words, a negligence standard.
By contrast, article 82(3) of the UK GDPR and section 169(3) of the DPA 2018 provide that, in order to have a defence to a claim for damages caused by processing which breaches the legislation, a controller must prove that it was not ‘in any way responsible for the event giving rise to the damage’. Thus, the fact that more robust IT systems could have been installed may render the professional in breach of the UK GDPR even if its existing system would have provided a defence to an allegation of failure to exercise reasonable care.
The client might seek to argue that it would be incongruous if the firm, as data controller, owed him, as data subject, the higher standard under the UK GDPR to use all appropriate technical and organisational measures to protect his personal data; but, on the other hand, under the retainer owed the client a lesser duty of reasonable skill and care in relation to the safeguarding of the commercial data. Thus, the client might argue that it is an implied term of the retainer that, across the board and in relation to all information, the professional owes the higher statutory duty imposed by the UK GDPR.
Argument (2): damage for loss of commercial data recoverable under the UK GDPR
As an alternative, or in addition to, the first argument, the client might argue that the firm is, independently of the retainer, in breach of the UK GDPR obligations relating to his personal data, and that the damages recoverable include losses referable to the commercial information. In support of this argument, the client might refer to recital 85 of the UK GDPR. This refers to the damage caused by personal data breaches as including ‘identity theft… financial loss… or any other significant economic… disadvantage to the natural person concerned’. Or recital 146, which records that ‘the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of the [GDPR]’.
The damage for which a data subject is entitled to compensation under article 82 of the UK GDPR is that which has been suffered ‘as a result of an infringement’ of the UK GDPR. The client might argue that those words created no more than a ‘but for’ causation requirement, with the result that he (as data subject) could recover damages from the firm (as data controller) for the loss of commercial information (as well as personal data), on the basis that if the firm had complied with its data protection responsibilities in relation to the personal data, the commercial losses would not have occurred.
It has yet to be seen whether such arguments as sketched out above will be advanced against professionals following cyber-attacks, by clients wishing to shore up professional negligence claims by reference to demanding standards required by the UK GDPR in relation to the protection of personal data.
As to the first argument, namely that the contractual standard of care in relation to protection of commercial data is equivalent to the UK GDPR standard owed in relation to personal data, the correct interpretation of a retainer will of course be case-specific, turning on the precise terms and circumstances of the retainer in question. In the absence of factors pointing away from a strict obligation in relation to protection of client confidentiality, a court might be attracted to an argument that a professional’s contractual and statutory obligations should be aligned in relation to the confidentiality of all the client’s information, both personal and commercial. Professionals may have some control over such disputes, since they are free to seek to negotiate the terms of their retainer and to restrict their contractual obligations to reasonable skill and care.
However, as to the second argument, namely that commercial losses are recoverable as a head of loss in claims under the UK GDPR, the professionals have no control. If that argument were correct, that could significantly increase the professional’s exposure. By arguing that the loss relating to the commercial information was caused by the professional’s breach of data protection law, data subjects might mount claims for significant losses greatly in excess of the usually modest awards made for pecuniary and non-pecuniary losses based on loss of privacy. Given the high standard of care required of data controllers by the UK GDPR, the claimants might thus, via a data protection claim, circumvent defences by the professionals to breach of contract claims if the standard required under the professionals’ retainer in relation to safeguarding of information were merely to exercise reasonable care.
There is not yet any reported case on such points in the UK. The Supreme Court decision in Lloyd v Google was imminent as the Gazette went to press, but this appeared unlikely to shed much light on the issue given that that case concerns the DPA 1998 (rather than the UK GDPR/ DPA 2018), and it does not consider claims against professionals for failure to safeguard data following a cyber-attack.
These are, therefore, murky waters. In a world of increasing cyber-attacks on professional services firms holding valuable commercial data, we anticipate that clients will become creative in the claims against those professionals, praying in aid the high standard of care required in relation to safeguarding of data by the UK GDPR. A strong answer by the professional in response to a UK GDPR claim might be that the intention of that legislation is to protect personal rather than commercial data. Therefore a client cannot, in addition to claiming damage for loss of privacy or control of private information, claim damages in respect of commercial data which would not have been lost but for the data breach, since the loss of commercial data is not within the risk that the UK GDPR seeks to prevent.
But, on the other hand, the client’s riposte might be that no such distinction should be drawn. The recitals to the UK GDPR require ‘damage’ to be broadly interpreted. A data subject may recover financial losses caused by a personal data breach. In circumstances where a data subject’s personal bank account is emptied as a result of the bank wrongfully disclosing the data subject’s personal data to a fraudster, it is clear that the money stolen will constitute recoverable losses. But so might related damage, such as interest charges and fees incurred as a result of subsequent missed mortgage and utility payments, damage arising from the consequent effect on the data subject’s drop in credit score or a missed investment opportunity. If such consequential financial losses may be recoverable for breach of the UK GDPR, why not the loss by professionals relating to commercial data be recoverable? In the current absence of judicial guidance on the scope of damages recoverable under the UK GDPR, it is not clear where the line should be drawn.
These questions will be addressed by the courts in due course, but the law is playing catch-up in a constantly changing area, where each new cyber-attack brings the spectre of further loss and related claims. Until a degree of clarity is achieved, claims will be brought, and even if professional services firms are successful at keeping them at bay, the irrecoverable costs of doing so will continue to increase.
Robert Allen and Felix Zimmermann, Simmons & Simmons