Reputation Matters - Upholding Your Good Name
Charities face reputationally sensitive issues on a regular basis.
Negative press can be hugely damaging and can harm the public trust and confidence placed in charities, which in turn can affect relationships with beneficiaries, donors, regulators and trustees - all of which are crucial to the operation of a charity.
In this article we discuss topics associated with reputation and provide some practical tips to help charities protect their reputation and respond to a crisis.
Defamation
For a statement to be considered defamatory it must:
- be identifiably about the claimant
- have caused or be likely to cause 'serious harm' to the reputation of the claimant
- have been published to a third party
- use words which, by their natural and ordinary meaning are defamatory
In addition, where a claimant 'trades for profit', the defamatory statement must be considered to have caused or be likely to cause 'serious financial harm'. Although charities generally do not 'trade for profit', it is worth bearing in mind that there could be some ambiguity as to whether serious financial harm must be shown by a charity bringing a defamation action depending on the circumstances - eg where a subsidiary of the charity operates a shop through a trading arm that does trade with a view to making profit.
The most common defences to defamation claims are:
- Truth. If the statement is and can be proven to be true, that is a defence. However, other claims such as privacy and data protection claims could still arise in respect of published statements where truth would not be a defence.
- Honest opinion. If the statement was an opinion held by the person making it, and was an opinion which an honest person could have held based on any fact in existence at the time the statement complained of was published, and the basis of that opinion was indicated, that can be a defence.
- Public interest. If the statement was on a matter of public interest and the defendant reasonably believed publishing the statement was in the public interest, that can be a defence. Careful consideration would be needed ahead of publishing something which may require reliance on this defence.
- Qualified privilege. If someone is under a legal, moral or social duty to make the statement and the person it is being made to has a reciprocal interest in receiving it (eg reporting concerns to the Charity Commission), that can provide a defence. However, this defence can be defeated if it can be proven the statement was made maliciously or in bad faith.
- Website operator defence. It is a defence if the website operator can evidence that it did not post the statement and the actual author can be identified. This is often a difficulty when posts are made on social media platforms.
The limitation period within which a claim for defamation must be commenced is one year from the date of first publication of a defamatory statement.
Harassment and Online Trolls
Harassment is a criminal offence that also gives rise to a civil action. In serious cases of harassment it is often sensible to report the matter to the police for criminal action to be taken (which is quicker and cheaper than civil action and can achieve the same aim - ie for the harassment to stop). Typical examples of harassment include online trolling or abuse that targets particular (often senior) individuals within an organisation. There needs to be a course of conduct for harassment to occur, which means there must be at least two instances of the offending conduct in order for it to be defined as harassment.
Although a charity cannot be the 'victim' of harassment for the purposes of harassment legislation, individual employees and/or trustees affected could take action to protect themselves, or the charity may be able to bring an action on their behalf in a representative capacity.
Perpetrators are often anonymous. However, if you can lift the anonymity, the troll often stops. Ways to try to identify anonymous trolls include:
- legal action against 'persons unknown' (although this leaves the practical issue of how to enforce any decision obtained)
- conducting a WHOIS search if the trolling is occurring on a particular website to identify ownership of the website (provided there isn’t a privacy service in place)
- checking the user tag to see if the offending party has used the tag in other internet posts which could reveal their identity
- court applications against third parties who may hold information which identifies the individual
Data Breaches
Charities often hold a vast amount of sensitive data, including about their beneficiaries who may be vulnerable. In recent years we have seen a vast increase in claims against organisations arising from data breaches. These claims can be hugely time consuming and costly for those defending them. However, we have recently started to see a turn in the tide for data protection litigation in favour of defendants, as demonstrated by three recent cases.
The case of Lloyd v Google LLC [2021] UKSC 50 related to a Safari 'workaround' software. It was installed by Google on some Apple iPhones which enabled cookies to track users across websites to improve targeted advertising. Mr Lloyd brought a representative claim for damages for breach of the Data Protection Act 1998 (DPA) on behalf of himself and millions of other individuals alleged to have been affected by the software. The Supreme Court held that in order to obtain compensation for breach of the DPA, each claimant would need to demonstrate wrongful use of their personal data and material damage or distress resulting from it, which was not compatible with a representative action.
In the case of Warren v DSG Retail [2021] EWHC 2168 (QB), Mr Warren brought a claim against DSG following a cyber-attack on DSG's systems which contained his data. His claim was for breach of the DPA, misuse of private information, breach of confidence and negligence. All of these claims were struck out save for the claim relating to a failure to have adequate security in place as required under the DPA. The judge considered that DSG had been the victim to an attack and that of itself had not caused harm to Mr Warren. DSG (the data controller) had not carried out a 'positive action' which resulted in loss to the claimant.
Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) was a claim against our firm relating to a mistyped email address which meant a letter of claim regarding unpaid school fees was sent to an incorrect recipient. This is of course similar to the sorts of issues that will arise in any organisation from time to time. The incorrect recipient was swiftly notified of the mistake and requested to delete the email, which she confirmed she had done. The intended recipients subsequently issued a claim against VWV in connection with incident which involved minimal information being sent to someone in error and that error being quickly remedied. We made a successful application for summary judgment on the basis that the harm caused to the claimants as a result of the data breach did not meet the required threshold. In the first reported decision on the point, the High Court Master concluded the claim was plainly exaggerated and that it was not appropriate to claim for breaches of this sort which she considered trivial.
Damages awarded for data breaches tend to be relatively low and there have been other recent decisions indicating that the High Court is not the correct forum for low value data protection claims.
Strategic thinking is needed in terms of how to tackle and potentially settle data breach claims, particularly where there is a risk of opening the floodgates to more claims.
Top Tips for Protecting Reputation and Responding to a Crisis
- Don't panic or feel pressured into making a statement on the spot or giving detailed responses to initial enquiries from stakeholders or the press - first statements are often bland for good reason (not least because the full picture may not yet be clear and saying anything inaccurate needs to be avoided).
- Consider potential conflicts (or perceived conflicts) of interest if a senior individual within the charity is named in any complaint or allegation - arrange for someone not named to lead on the response to protect both the named individual and the charity.
- Plan for situations posing the risk of reputational damage and coordinate so that if and when an incident does arise, the internal team is organised and there is a consistent message. Also consider monitoring adverse comment in relation to the charity and set up alerts.
- Don't ignore the situation and consider putting together a draft response or press statement as, if the incident attracts attention, you will have limited time to give a response and want to ensure communications are effective.
- Investigate and follow policies - check what the charity's policies and procedures require and follow them (also consider whether an investigation is needed). Document consideration and retain all relevant information.
- Take care when creating new documents relating to the matter as these could become disclosable if litigation is commenced further down the line.
- Be aware of reporting obligations (to insurers, serious incident reporting to the Charity Commission and any other regulatory and public bodies such as the ICO). Unless and until the insurance position is confirmed, nothing should be done which may prejudice the insurer's position.
- Work out potential claims and consider strategy options early on. Bear in mind that approval may be needed from the Charity Commission (and/or the Court) in relation to incurring substantial costs on claims.
- Consider expert input (legal, PR and IT expertise may all be needed).
From time to time, things will undoubtedly go wrong for charities, but responding effectively can help minimise damage to reputation.
VWV have a wealth of experience in reputation management and can help limit potential damage to reputation by providing prompt and pragmatic advice on the options available and the best way to manage reputation issues.
This article was first published in Civil Society.