In its recent judgment the Supreme Court has overturned the Court of Appeal’s decision in the high profile Lloyd v Google case, which would have opened the floodgates for class actions for compensation for loss of control of personal data to be brought on behalf of very large numbers of individuals without identifying class members: Lloyd v Google LLC [2021] UKSC 50. Our full analysis of the Supreme Court’s decision can be found here.

This article examines the implications of the decision from an insurance perspective. Insurers and policyholders alike will no doubt be relieved by the Supreme Court’s decision. But this is not the end of the story.

For now: a relief for liability insurers and their policyholders

Class actions pose a financial risk to businesses and their insurers because they can be very costly to defend and involve significant settlements or judgments to pay. One of the first questions a business will ask when faced with a class action of any kind is whether its exposure is covered by insurance.

Class actions can arise in various contexts and may therefore be covered under various classes of insurance. By way of example:

  • Insurance cover for data class actions is typically provided by standalone cyber policies or by way of an extension to a general liability policy. This usually covers both defence costs and liabilities, as well as related exposures such as the costs of any data privacy regulator investigation and fines (where insurable), incident costs and loss of profits.
  • A securities class action against a company’s directors (and/or the company itself) may be covered under its D&O policy.
  • Consumer class actions, for example, arising from the sale of harmful products, may well be covered under Product Liability policies.
  • Competition class actions may be covered under civil liability insurance.

The financial risk associated with class actions is exacerbated in the context of opt-out class actions because there are fewer hurdles for claimants to overcome in commencing such an action as compared to opt-in class actions, hence the class of people represented may be far wider. In opt-in class actions claimants need to take active steps to join the class. The solicitor conducting the litigation needs to assess each individual’s eligibility to join the class, provide appropriate advice and sign a retainer with each claimant. These limitations of opt-in class actions, as Lord Leggatt described them in his judgment, can be costly and prohibitive. Such limitations do not exist in opt-out class actions making them a greater financial risk for businesses both in terms of the potential frequency with which class actions may be commenced and the scale of those actions.

There could also be wider ramifications because the kinds of events that may give rise to a data class action (such as a cyber-attack) might also give rise to non-data class actions or other related claims, for example by shareholders who have suffered a loss of value of their shares or customers who have experienced service failures or third party suppliers whose supply contracts have been breached. If the floodgates had been opened to opt-out data class actions, the impact on the fall-out from an event giving rise to such an action may have been materially exacerbated. Indeed, it must be understood that class actions are already a significant insurable risk and that has only been increasing in recent years as the UK follows the USA and other jurisdictions such as Australia. For now, however, opt-out class actions for compensation for loss of control of personal data without proof of individual circumstances remain unavailable in principle, although the door has been left ajar as we discuss below.

Given the current hard cyber insurance market, this will be a relief to both policyholders and insurers. With a number of data class actions waiting in the wings, had the floodgates opened it is difficult to know how cyber insurers would have responded (given that renewals are already difficult), whether by charging higher premiums, limiting cover, excluding class actions or perhaps, for some businesses, declining to provide cover at all. In light of the Supreme Court’s decision, it is to be hoped that the cyber insurance market will now start to stabilise rather than having to address an enhanced exposure, although there are, of course, other factors affecting the market such as the increase in ransomware attacks. This may be very important for many policyholders who rely on cyber insurance to transfer cyber and data risks that otherwise their balance sheet might not be robust enough to meet.

The future: bifurcated and top down class actions?

This decision must be seen in the context of the ongoing development of the law around data privacy. Whilst Mr Lloyd did not succeed in using the representative procedure under CPR 19.6 to bring a class action for compensation in this instance, there will no doubt be future attempts by consumers, regulators and other interested parties to hold data handlers, and businesses more generally, to account.

As Lord Leggatt acknowledged, “there is no reason why damages or other monetary remedies cannot be claimed in a representative action if the entitlement can be calculated on a basis that is common to all the members of the class”. The quantum might be the same for all claimants where, for example, every member of the class was wrongly charged a fixed fee or all the members of the class acquired the same product with the same defect which reduced its value by the same amount.

Further, in cases where the damages to be claimed are different for the different members, Lord Leggatt left the door open to two alternative models of representative class actions which he suggested could be used by claimants. This has implications both in the context of data breach class actions and more widely for any type of class action.

First, Lord Leggatt suggested that representative actions could be run as a two stage process. The first stage would use an opt-out representative procedure under CPR 19.6 to establish liability against the defendant for the common benefit of the claimant class. Then a secondary opt-in process would be needed to establish the damages suffered by each member of the class. This is not dissimilar to existing procedures, where test cases are brought in the first instance and further claims are brought later depending on the outcome. The advantage of the process suggested by Lord Leggatt, however, would be that all the claimants in the opt-out class would (if the claim were successful) have the benefit of a binding judgment on liability in their favour. The claimants would then need to bring proceedings for compensation either individually or as part of one or more Group Litigation Orders (where the quantum issues were sufficiently common or related as between the claimants) in order to evidence and claim damages. How this second phase might work in practice remains to be seen.

Second, Lord Leggatt referred to a “top down” process. This would involve claiming compensation for damage suffered by the class as a whole, where that loss can be calculated on a global basis without reference to the losses suffered by individual class members. The advantage of such a process would be that the claim (if successful) would result in a damages payment in the full amount for the whole class. There would, of course, then need to be a mechanism for distributing the damages amongst the class members. Given that Mr Lloyd did not formulate his claim in this way, Lord Leggatt did not discuss the detailed practicalities of how such a process might work or the contexts in which it might be applicable. That too remains to be seen.

Both these suggestions, however, leave open the door for claimants, and their funders, to bring group claims. With the door having been left open in this way, opportunities for litigation funders will continue as investors look to innovative ways to deploy their capital. Likewise, opportunities for After-the-Event (ATE) insurers could increase if the number of claims requiring such insurance increases. ATE insurance is commonly used in class actions, providing cover for the litigating party’s liability for adverse costs or, if a funder has agreed to indemnify the funded party against its potential liability for adverse costs, to cover the funder’s own risk. Although opt-out class actions have not been given a green light by the Supreme Court, as the door has been left open the litigation funding market and ATE insurance market will continue to have a key role to play as class actions are here to stay.

If representative claims are brought using CPR 19.6 under the potential routes above, liability insurance claims will need careful management. Liability insurance covers legal liabilities, but a frequent challenge with class actions is determining liability and quantum and hence potential settlement values in the early stages. Splitting liability and quantum proceedings is nothing new, but there may be increased uncertainty using a bifurcated process because it may be difficult to project at the outset what the second stage will look like and how many claimants will be involved. That said, similar issues arise with class certification in US opt-out class actions of which the insurance market has considerable experience. It will be all the more important for policyholders and insurers (and their lawyers) to work closely together from the outset when faced with challenging issues of this kind so that if a reasonable settlement opportunity arises they are on the same page as to how to proceed.

For the time being, it is likely that all insurance market stakeholders, as well as funders, will be keeping a close eye on how matters progress.

Greig Anderson
Greig Anderson
+44 20 7466 2229
Rachelle Waxman
Rachelle Waxman
Senior Associate, London
+44 20 7466 2400
Antonia Pegden
Antonia Pegden
Senior Associate
+44 20 7466 2530
Sarah Irons
Sarah Irons
Professional Support Consultant
+44 20 7466 2060