Organisations which fail to implement appropriate technical and organisational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.

An ICO investigation into the breach discovered that British Airways’ security arrangements regarding personal data were inadequate in various ways and led to the ICO imposing a financial penalty of £20 million on the airline in October 2020.

Although this was a significant reduction from the initial figure of over £183 million that was included in the ICO’s notice of its intention to fine British Airways, which was issued in July 2019, this still represents the most significant fine issued by the ICO to date, since the General Data Protection Regulation (EU) 2016/679 (GDPR) was enforced from 25 May 2018.

Reportedly, over 16,000 data subjects who were impacted by the breach have now joined a group style action against British Airways which, if successful, could lead to payments to affected individuals, possibly totaling millions of pounds.  There is still time for additional data subjects to join the claim, which may increase British Airways’ potential financial exposure still further and the airline’s prospects of success in the litigation are unlikely to have been improved by the imposition of the recent ICO fine. 

British Airways has reportedly stated that it will continue to “vigorously defend the litigation". However, it has also apparently indicated its willingness to enter into settlement discussions with the affected data subjects.  Although settling the dispute may be more financially beneficial than continuing the litigation, British Airways could still find itself with a substantial bill once the matter has concluded.

British Airways is not alone.  Recent examples of group-style actions in the English courts include the case of the supermarket chain Morrison, which found itself at the centre of a claim in the UK for compensation under data protection laws brought by certain of its employees in respect of a data protection breach (although the employees were ultimately unsuccessful in their compensation claims following a decision by the UK Supreme Court in 2020, this case was unusual and turned on its facts).  

Other examples include a group action which has been launched against Marriott International in the English courts by hotel guests whose customer records were involved in a personal data breach suffered by a Marriott-owned company and it has recently been reported that several hundred customers and potential customers have brought a claim in the English courts against TalkTalk Telecom Group PLC in respect of personal data breaches which took place in 2014 and 2015.

While historically, class actions regarding privacy breaches have been more common in other jurisdictions such as the USA, increasingly such actions - which were envisaged by the GDPR - are being brought in the English courts.

The possibility of such actions underlines the importance for all organisations which process personal information of implementing and maintaining appropriate personal data security measures to ensure that all data is appropriately protected and to try to avoid both regulatory enforcement action and costly group-style litigation from disgruntled data subjects.