“This is your data. Usually it’s kept safe by the companies you trust. However because of a data breach, the personal data of more than 400,000 people may have ended up in the wrong hands. If you received an email informing you of the breach, you may have been affected and you could be entitled to significant compensation. Contact us to check if you are eligible and start your claim, but don’t wait around, you only have a limited time.”
This type of advert sounds increasingly familiar to us as individuals and as data-protection professionals. Indeed, we may be approaching a watershed moment in terms of how personal data breaches impact organisations. However, this breach also provides some signposts to guide organisations on how to shift their strategy to prepare for a more compensation-oriented landscape when breaches occur.
The British Airways personal data breach
An unidentified cyber attacker utilised the compromised credentials of a user within British Airways’ (BA) third party supplier to access BA’s network and remain undetected for over 2 months in 2018. They were able to access the personal data (including names, addresses, payment card numbers and / or CVV numbers) of approximately 430,000 customers and staff, and copy and redirect customer payment card data to their own website.
BA notified the UK Information Commissioner’s Office (ICO), acquirer banks, payment schemes and all affected customers on 6 and 7 September 2018.
After a lengthy investigation, the ICO fined BA £20m on 16 October 2020 (reduced from the initially-proposed £183.39m) for BA’s failure to process the personal data securely, hence infringing to Articles 5(1)(f) and 32 of the GDPR.
In its ICO Penalty Notice, the ICO highlighted that the fine was issued not because BA suffered a personal data breach, but because BA did not take adequate steps to analyse and mitigate such risk. In particular, BA could have mitigated the risk of an attacker accessing its network via a single username and password (for example, via multi-factor authentication), limiting access within its network (for example, black or white listing applications), protecting administrator account details and detecting high-risk activity via available tools, adequate code reviews and not logging CVV numbers.
The ICO further underlined that it was unclear whether or when BA would ever have detected the attack itself as BA was alerted via a third party on 5 September 2018.
The BA-related compensation claims
Under Article 82(1) of the GDPR, an individual has the right to receive compensation from an organisation for “material” (e.g. financial loss due to fraud) or “non-material” (e.g. distress) damage resulting from a breach of the GDPR.
In the context of the BA fine, the ICO highlighted that “A significant number of individuals… were affected by the breach… it is likely that many of these individuals will, depending on their circumstances, have suffered anxiety and distress as a result of the disclosure of their personal information… to an unknown individual …”
It is of no surprise that a number of firms are now canvassing for affected BA customers and staff to join a group litigation case under a no win, no fee agreement. They have estimated that each claimant may be eligible for £2,000, which may cost BA up to £800m. Recent media reports suggest that there are approximately 16,000 claimants. BA disputes both its liability and the estimates.
A new market for compensation claims?
The majority of organisations are well aware that supervisory authorities such as the ICO now have powers to issue substantially larger fines for data protection breaches.
However, their awareness of the ability of affected data subjects to seek compensation independent of any regulatory fines, is likely far lower.
Moreover, there are territories such as the UK where group litigation claims (under any legislation) have historically been less prevalent than other jurisdictions, such as the US.
It is not difficult to foresee that a new market will arise where law firms and other organisations offer pro bono or paid assistance to people affected by high-level personal data breaches.
In light of this, it is important that organisations:
- raise internal awareness of the right to claim compensation, in particular to obtain buy-in from senior management for data protection compliance;
- recognise that successful group litigation claims could prove more costly than regulatory fines where there are a substantial number of data subjects;
- recognise that such claims are likely to increase exponentially if and when a claim for a substantial sum is successful and receives a commensurate level of publicity; and
- account for the risk of claims for compensation, in addition to regulatory fines, within their insurance cover.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience supporting organisations in implementing appropriate security measures in respect of personal data, and/or raising internal awareness of the importance of data protection. We offer a range of data governance services that can help your organisation to develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. For more information please feel free to contact our advisors, who would be more than happy to help.