'Claims culture' developing around data breaches

Group claims for compensation for data breaches are rising fast and that trend is set to continue. This is the issue we highlighted back in July on the back of the news that British Airways had settled what is thought to be the biggest claim for a data breach in British legal history – a total claim thought to be in the region of £800m, with individuals receiving around £2,000 on average. 

That case dates back to 2018 and major data breach affecting 420,000 people - both customers and BA staff - involving names, addresses, and payment-card details. Hackers diverted British Airways passengers to a fake website, through which they were able to collect customer data. As a result, the Information Commissioner’s Office, the ICO, handed down its largest fine to date, £20m, for what it described as an ‘unacceptable’ failure to protect customers.

The right to bring a claim for a data breach is contained in the UK’s Data Protection Act and there is now a much greater public awareness of the possibility of being compensated when breaches happen. Most individuals don’t go it alone with the stress and financial exposure that would bring. Instead, they tend to sign up with one of a number of law firms who will represent them on a group basis. So, the firms’ represent the individuals collectively to bring a claim for non-material damage including inconvenience, distress, annoyance and loss of control of their personal data. The claims in the BA case have now been settled and on the back of that, in our programme ‘Data breach claims on the rise’, Katy Docherty explained how HR can help minimise the risk of data breaches b y adopting sound data security practices.  

The trend towards group claims is an issue we were flagging last year. In October litigator Stuart Davey told Outlaw how the combination of heightened cyber risk and the growing interest in this area from claimant law firms and litigation funders shows the threat of data subject claims is a growing corporate risk - both financially and reputationally. He says the litigation risk significantly heightens in correlation with the severity of the security breach to the point where litigation is almost a certainty where there has been regulatory enforcement in respect of the incident.

So, what about those claimant law firms? A simple Google search throws up dozens of firms advertising their services, offering to bring data breach claims with no financial risk to the individuals. Katy Docherty is a data protection expert who joined me from Glasgow to discuss the issue. I asked her about those ‘no win no fee’ arrangements:

Katy Docherty: “Yes, so we are starting to see a lot more firms advertising ‘no win no fee’ type arrangements that a lot of us will be accustomed to seeing with PI claims, for example. So, they're advertising the fact that they can bring a case for individuals for them for compensation for data breaches. Now, although to an extent it is untested, we are really only seeing compensation being in the kind of hundreds or low thousands of pounds, generally speaking, there will, of course be exceptions, but generally speaking the compensation for these claims is not a huge amount of money. The problem that employers might find when this kind of claim is raised in the context of an employment dispute is that the cost of defending a claim like this through the civil courts is going to be really relatively high, and certainly, relative to the value of the potential award that will be made, the cost of defending often will far outweigh that and what employers may start to find is that actually, in order to be commercial, they look to settle these types of claims and that’ in turn, may create this kind of claims culture where a few extra hundred pounds can be shaken out of employers who don't want to incur the cost of defending potentially complex claim through the civil courts. So, I think this is one of the challenges that the HR teams will face is how we deal commercially with what sometimes may be baseless claims - sometimes they may have some merit, but where the value of the award is much less than what the costs would be to defend that claim and we find that this is a tactic that is quite often used in settlement discussions. So, companies will need to take decisions at a more senior level as to whether they are going to settle such claims or whether they're going to defend them on principle in order to try and avoid that kind of floodgate effect that I know some companies have seen with things like PI claims, for example.”

Joe Glavina: “I imagine that the big concern around this, especially for many of our clients is the risk of reputational damage?”

Katy Docherty: “Yes, and I think that reputational damage is going to be one of the very big issues. I mean, I'm sure that at BA, for example, or other companies which are suffering large data breaches like this, reputational damage following a data breach as a big issue, and I think that that will be more of a concern where regulatory action has been taken and that goes wider than simply the HR and employment sphere for that company's reputation. But again, going back to the point that I made about data protection being the responsibility of everybody in the organisation, HR teams need to play their role in protecting employee data and in trying to avoid, as far as possible, any kind of breach happening because you've got the financial risks of claims and an ICO fine for example, but the damage that can be done to a company's reputation of not being secure with company data, that can have far wider reaching consequences. So, it underscores the need for HR to play their role for their part of the business in maintaining good data protection practices.”

The rise in litigation in this area is something our cyber and data teams were flagging back in October. Their article ‘Trends point to a rise in data breach claims’ explains how the threat of data claims is a growing corporate risk, both financially and reputationally. That article is available for viewing from the Outlaw website.