Group claims for compensation for data breaches are rising fast and that trend is set to continue. Why is that and what can employers do about it? We will come onto that shortly.
This is in the news after British Airways settled what is thought to be the biggest claim for a data breach in British legal history. The figure has not been disclosed but, as Sky News reports, the total claim is thought to be in the region of £800m with pay-outs of up to £2,000 per with no admission of liability from BA.
This dates back to 2018 and major data breach affecting 420,000 people - both customers and BA staff – involving names, addresses, and payment-card details. Hackers diverted British Airways passengers to a fake website, through which they were able to collect customer data. As a result, the Information Commissioner’s Office, the ICO, handed down its largest fine to date, £20m, for what it described as an ‘unacceptable’ failure to protect customers.
That fine was set to be a lot bigger. As the BBC reports, following its investigation the ICO initially said it planned to fine BA a record-breaking £183m but it lowered that amount after representations from BA. In its penalty notice of October 2020, the ICO said BA had argued penalties should be ‘significantly reduced or not imposed at all’ because of the financial hardship airlines faced during lockdowns, when few flights were running. The ICO has taken that into account, lowering its fine to £20m, which is still the highest GDPR fine issued to date.
The ICO, as the regulator, is not in the business of recovering compensation for individuals affected by data breaches which explains why they signed up with one of a number of law firms to litigate for that purpose. This settlement closes the group litigation brought under the GDPR which sought compensation for non-material damage including inconvenience, distress, annoyance and loss of control of their personal data.
So how is this relevant to HR professionals and what are the lessons to learn from this case? Katy Docherty is a data protection specialist and she joined me by video-link from Glasgow. I put that question to her:
Katy Docherty: “So, the BA example is obviously quite a dramatic one, involving thousands of people, the settlement was likely to be very high, the fine for the data breach was very high, but I think that this type of case is very relevant for HR professionals. We might start to see, of course, group actions if there has been a data breach. That kind of data breach, particularly where there has been regulatory action which has advertised the breach, or it's been a particularly big deal and individuals are very alert to it, group actions like that may be a bit more expected by companies in the aftermath of a breach, and that’s not to diminish the severity and importance of them. What I think HR professionals might start to see, in the very specific context of employment disputes, is individuals claiming that, actually, there has been a data breach by the company, that's something that we see individuals allege quite often, and we might start to see either the threat of litigation, or people actually bringing such claims. We’ve started to see a few of those, certainly for our clients, but I do think, particularly as individuals become more aware of their rights, and as stories such as the BA example are advertised, individuals are going to cotton on to the fact that the ability to claim compensation for data breaches is something that they can do through the courts, particularly if the ICO will not compensate them. So, I think that the HR professionals need to be very alive to this risk, particularly from individuals, particularly where that is a dispute. So, a couple of practical points if this is something that you are faced with. One very practical point is that, obviously this kind of claim does not go through the employment tribunal, which is what we as HR professionals and employment lawyers working in that sphere are used to. These claims will go through the civil courts and those types of claims have different procedural requirements from the employment tribunals, they've got different deadlines, and so specialist advice should be sought immediately. Another very pressing point for HR is that data protection is the responsibility of everybody within an organisation and, particularly in HR where you're dealing with quite often sensitive data, you can be quite often dealing with fairly fraught situations with employees that you're trying to manage, cases like the BA claim, and the trend that we’re starting to see of individuals making court cases out of a data breach, underscore the importance of HR taking great care with individual’s data, ensuring that they follow their internal protocols and policies, and also of HR teams very quickly reporting any potential breaches to their internal data protection team. Now, you have to do that in terms of data protection obligations in case you need to report the breach to the ICO, but what quick reporting will also enable your internal teams to do is to take any mitigating action quickly that can mitigate or prevent damage, or loss, to the individuals because individuals can sue for monetary damage, material damage, or they can also sue for injury to feelings and distress caused. So, the quicker the company can have time to act upon a potential breach and try and take that mitigating action, the better.”
The rise in litigation in this area is something our cyber and data teams were flagging back in October. Their article – ‘Trends point to a rise in data breach claims’ – explains how the threat of data claims is a growing corporate risk, both financially and reputationally. That article is available for viewing from the Outlaw website.