Following the ICO’s record fine for British Airways under the GDPR, Julian Hayes and Guevara Leacock, consider the potentially very expensive group claim civil action now being prepared.

The dust has not yet settled on the Information Commissioner’s fine imposed on British Airways (BA) in October 2020, but the company now faces the largest group claim over a data breach in the UK’s history.

A similar claim has been brought against TalkTalk following a 2014/15 cyber-attack on the telecoms giant, though in that case far fewer people were affected. With not only hefty regulatory fines and reputational damage but also the threat of expensive civil litigation for data breaches, the pressure is on for data controllers and processors to check they are doing enough to protect their customers’ personal data.

Security Lapses

What originally led to the BA and TalkTalk claims? In 2014, telecommunications giant TalkTalk, suffered a serious data breach when contractors in India gained unauthorised access to the personal data of 21,000 of their customers.

A further, even more serious, data breach took place in October 2015 when the company suffered a cyber-attack and the data of over 156,000 customers were stolen, including the bank account details of thousands of customers. In the 2018 BA incident, the flagship airline was targeted by hackers who accessed the personal data of over 500,000 of its customers. The ICO fined TalkTalk £500,000, at the time the maximum which the data watchdog could impose, whilst BA received an eye-watering £20million penalty even after a significant discount.

From GDPR to UK GDPR

Introduced in 2018, Article 82 of the GDPR provided an EU-wide legislative mechanism for those suffering damage as a result of a data breach to seek compensation from relevant data controllers/processors.

While the UK officially left the EU on 31 December 2020, those who may have hoped our departure from the EU would lead to an immediate lessening of data protection obligations have been disappointed. The pre-Brexit data protection framework has survived largely intact, and Article 82 has been replicated in the UK’s version of the GDPR, now in force.

Article 82 provides that a person who has suffered material or non-material damage as a result of a data breach shall have the right to claim compensation. Financial loss is not necessary to found a claim and mere distress suffices, potentially opening the way to a variety of imaginative claims.

What is more, any person who has suffered damage as a result of the data breach may bring a claim, extending opportunity beyond data subjects who are directly affected by a breach. Little-used provisions also exist allowing suitably designated representative bodies to bring claims on behalf of data subjects, an area on which the Government is currently consulting, and which looks set for future expansion.

To ensure claimants are effectively compensated, the GDPR provides that where both a controller and a processor involved in the same processing are jointly responsible for any damage, then each of them is jointly and severally liable. Claims may be brought against them irrespective of fault, though those found liable on this basis may issue third party proceedings to recover damages from those directly responsible.

Safety First

With legal precedent indicating damages awards for distress range from between £750 to £2500, individual victims of the TalkTalk and BA data breaches are reportedly in line for up to £1000 and £2000 respectively. But data controllers and processors should not take comfort in such relatively minor awards. Large numbers of small awards still make an unwelcome dent in the corporate balance sheet; group claims can be quite substantial – if every claimant in the BA suit were successful, the company would face an £800m compensation bill (as well as paying its own litigation fees). Even where an insurer, picks up the tab, premiums may be dramatically hiked for companies ‘coming second’ in group action litigation.

The risk of painful civil claims reinforces the need for data controllers and processors to be vigilant and proactive in protecting their client’s personal data.

Article 5(1)(f) of the UK GDPR (another Brexit survivor) requires that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing accidental loss amongst others.

Appropriate technical and organisational measures to ensure a level of security appropriate to the risk is the benchmark.

Pseudonymisation and encryption of personal data, assurance of confidential personal data processing, regular assessment of the effectiveness and security of data processing mechanisms, resilience in the event of a breach are key. Practical measures include limiting employee access to applications, data and tools to those who need them, undertaking rigorous testing of IT systems, implementing best practice staff training, and protecting employee and third-party accounts with multifactor authentication.

The good name of a business is one of its most valuable assets and serious data breaches can irretrievably damage corporate reputations.

Responsible companies – those which protect both the personal data of individuals and their own futures – will view the BA and TalkTalk civil litigation as a salutary reminder of the need to take data security seriously and the consequences of failing to do so.

by Julian Hayes, partner and Guevara Leacock, legal assistant, BCL Solicitors