The large fines available to the ICO under the GDPR grabbed the headlines, but the fines have always been the least of the bills payable by a breaching company. For example, Talk Talk was fined £400,000 for its data breach, but the actual costs of remedying the breach have been estimated as between £30 million and £60 million.
The GDPR like, like the DPA98 before it, allows a data subject who suffers from a breach to claim against the relevant company. The GDPR makes it explicit that this covers both material and non-material damage, and the DPA18 in turn makes it clear that non-material damage also includes distress.
A few claimants on their own are unlikely to worry large companies, but class actions, given the numbers of data subjects typically involved in a breach, is a different thing altogether.
Recent weeks have given us the first successful class action for data breach in the UK. In the recent William Morrison case, the supermarket was found liable for a disgruntled employee who posted the payroll details of approximately 100,000 employees on the Internet. The most notable thing about the case is that the action against Morrisons was brought by JMW, a Manchester law firm, on behalf of 5,518 Morrison employees.
JMW is not alone. The law firm SPG Law seeks to combine a UK law firm with US class action experience, and is launching a class action against British Airways for its recent data breach. SPG Law’s website suggests that claimants will, if successful, receive up to £1,500 each. Given that the BA breach affected 380,000 customers, that’s a potential payout by BA of £570 million.
Hayes Connor Solicitors (who hold themselves out as data breach and cyber crime experts) is also leading a class action claim against British Airways but is more bullish, expecting to claim up to £5,000 person (I will let you do the maths). It is also running class action claims (or pre-registering for claims) in relation to the following breaches: Equifax, Ticketmaster, Emma’s Diary, Facebook, Dixon Carphone Warehouse.