Earlier this week, British Airways (BA) settled a legal claim brought by some of the 420,000 people affected by a major 2018 data breach.
The BA compensation claim is known to be the largest personal data claim in UK history. Whilst details of the settlement are confidential, the size of the class that opted-in and therefore the potential sum BA may have paid in settlement, illustrates the risks of potential mass data breach claims to companies who experience cyber security incidents. In addition, there is potential for such claims to have a greater impact than the fine arising out of the incident (although of course BA’s fine was reduced from the initial amount announced by the ICO in part due to the impact of COVID-19).
The settlement was concluded reasonably swiftly following the expiry of the cut-off date for claimants to join the group action, at which point BA could be said to have an understanding of its potential exposure in the claim. That said, the case has been ongoing for some 2 years and along the way there has been some disappointment for claimant law firms in that at an interim hearing the Court found that the claimants’ costs of advertising for claimants (some £450,000 having been incurred) were not recoverable from BA. However, by itself, this is unlikely to be a significant deterrent to claimant law firms active in these cases and the growth in claims of this type looks set to continue, whilst all eyes are also looking out for the Supreme Court judgment in the Lloyd v Google case (an opt-out case and which therefore carries even greater risk of financial exposure for defendants) later this year.
This case shows that the stakes are higher than ever when it comes to ensuring cyber security and the protection of personal and of the potential consequences if things go wrong.
In the rapidly evolving data breach landscape, news of a pay-out by a high profile company like BA is only likely to encourage would-be claimants and claimant representatives to consider the value of even seemingly minor data privacy breaches which could result in large group claims. Indeed, there are plenty of claimant data breach law firms who are ready, waiting and even advertising for potential claimants (usually on a “no win no fee” basis). Organisations should be aware of the mounting risk (and associated cost) and take steps to mitigate against it at the outset. However, the settlement proceeds the eagerly awaited judgment in the recent Supreme Court case of Lloyd v Google which may, to a certain extent, close the floodgates to the potential for certain types of group actions.