“This is your data. Usually it’s kept safe by the companies you trust. However because of a data breach, the personal data of more than 400,000 people may have ended up in the wrong hands. If you received an email informing you of the breach, you may have been affected and you could be entitled to significant compensation. Contact us to check if you are eligible and start your claim, but don’t wait around, you only have a limited time.”
This type of advert sounds increasingly familiar to us as individuals and as data-protection professionals. Indeed, we may be approaching a watershed moment in terms of how personal data breaches impact organisations. However, this breach also provides some signposts to guide organisations on how to shift their strategy to prepare for a more compensation-oriented landscape when breaches occur.
The British Airways personal data breach
An unidentified cyber attacker utilised the compromised credentials of a user within British Airways’ (BA) third party supplier to access BA’s network and remain undetected for over 2 months in 2018. They were able to access the personal data (including names, addresses, payment card numbers and / or CVV numbers) of approximately 430,000 customers and staff, and copy and redirect customer payment card data to their own website.
BA notified the UK Information Commissioner’s Office (ICO), acquirer banks, payment schemes and all affected customers on 6 and 7 September 2018.
After a lengthy investigation, the ICO fined BA £20m on 16 October 2020 (reduced from the initially-proposed £183.39m) for BA’s failure to process the personal data securely, hence infringing to Articles 5(1)(f) and 32 of the GDPR.
In its ICO Penalty Notice, the ICO highlighted that the fine was issued not because BA suffered a personal data breach, but because BA did not take adequate steps to analyse and mitigate such risk. In particular, BA could have mitigated the risk of an attacker accessing its network via a single username and password (for example, via multi-factor authentication), limiting access within its network (for example, black or white listing applications), protecting administrator account details and detecting high-risk activity via available tools, adequate code reviews and not logging CVV numbers.
The ICO further underlined that it was unclear whether or when BA would ever have detected the attack itself as BA was alerted via a third party on 5 September 2018.
The BA-related compensation claims
Under Article 82(1) of the GDPR, an individual has the right to receive compensation from an organisation for “material” (e.g. financial loss due to fraud) or “non-material” (e.g. distress) damage resulting from a breach of the GDPR.
In the context of the BA fine, the ICO highlighted that “A significant number of individuals… were affected by the breach… it is likely that many of these individuals will, depending on their circumstances, have suffered anxiety and distress as a result of the disclosure of their personal information… to an unknown individual …”
It is of no surprise that a number of firms canvassed for affected BA customers and staff to join group litigation orders (GLOs) under no win, no fee agreements. On 15 January 2021, the lead solicitors in one GLO, Pogust, Goodhead, Mousinho, Bianchini & Martins (PGMBM), estimated that their approximately 16,000 claimants could each be eligible for up to £2,000 and that BA’s overall liability for the breach could be up to £800m. On 5 July 2021, BA reached an out of court settlement with the PGMBM claimants, but did not provide an admission of liability. This settlement remained confidential, therefore it did not establish a benchmark for either the amount of compensation that might be claimed under the GDPR or the number of claimants who might receive such compensation. Your Lawyers, which declined to participate in the settlement, promptly announced that they would continue to progress a separate GLO against BA on behalf of their approximately 5,000 claimants, each of whom they estimated could be eligible for up to £6,000.
A new market for compensation claims?
The majority of organisations are well aware that supervisory authorities such as the ICO now have powers to issue substantially larger fines for data protection breaches.
However, their awareness of the ability of affected data subjects to seek compensation independent of any regulatory fines, is likely far lower.
Moreover, there are territories such as the UK where group litigation claims (under any legislation) have historically been less prevalent than other jurisdictions, such as the US.
It is not difficult to foresee that a new market will arise where law firms and other organisations offer pro bono or paid assistance to people affected by high-level personal data breaches.
In light of this, it is important that organisations:
- raise internal awareness of the right to claim compensation, in particular to obtain buy-in from senior management for data protection compliance;
- recognise that successful group litigation claims could prove more costly than regulatory fines where there are a substantial number of data subjects;
- recognise that such claims are likely to increase exponentially if and when a claim for a substantial sum is successful and receives a commensurate level of publicity; and
- account for the risk of claims for compensation, in addition to regulatory fines, within their insurance cover.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience supporting organisations in implementing appropriate security measures in respect of personal data, and/or raising internal awareness of the importance of data protection. We offer a range of data governance services that can help your organisation to develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. For more information please feel free to contact our advisors, who would be more than happy to help.