British Airways GDPR Lawsuit: The Potential ImpactA Substantial Settlement Could Build Data Security Momentum
British Airways could face a substantial compensation payout as a result of an ongoing group lawsuit over its 2018 data breach, the first of its kind under the General Data Protection Regulation. So, the lawsuit - and others that follow in breach cases - could create more momentum for data security enhancements and cyber insurance.
The lawsuit stems from the breach of personally identifiable information and financial details of 420,000 British Airways customers (see: British Airways Faces Class-Action Lawsuit Over Data Breach).
In October 2020, U.K. regulators reduced the airlines’ GDPR penalty for failing to adequately protect customer data to $28 million from $254 million, with regulators taking into account the economic impact COVID-19 had on the airline’s business (see: British Airways' GDPR Fine Dramatically Reduced).
In addition to the fine, British Airways now faces the prospect of compensation payments to customers as a result of the lawsuit. So far, over 17,000 people have signed up to take part in the group lawsuit, says Tom Goodhead, partner at law firm PGMBM, lead solicitors in the litigation.
The law firm is soliciting participants using advertising on U.K. TV and elsewhere, including social media.
GDPR allows claims for nonmaterial damages. The lawsuit, for example, cites inconvenience and distress. Estimates of the potential compensation that the lawsuit will trigger run the gamut from $50 million to $4 billion.
British Airways Reacts
Reacting to the lawsuit, British Airways tells Information Security Media Group: "We continue to deny liability in respect of the claims brought arising out of the 2018 cyberattack and are vigorously defending the litigation.”
But Goodhead, the plaintiffs' attorney, says: “BA indicated to the court that they wish to attempt a settlement of the case rather than proceed to court. It requires two parties to settle. So the issue now is about compensation - the level they are comfortable with and the claimants are happy with. … These are challenging times for BA, and we are not trying to put them out of business, but seeking compensation for inconvenience, distress and concern. And we hope to reach a pragmatic solution.”
GDPR opened the door for data breach victims to go to court to seek compensation, notes Nigel Gooding, founder of data privacy advisory service DPAS, commenting: “The law is clear in that there is a right to claim where a breach has occurred.”
“Article 82 of GDPR states: ‘Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered,’” Gooding notes. “This is the reason that commenters believe data breach class actions are more likely to be successful in Europe than they have hithero been in the U.S.”
In the U.S., most class-action breach-related lawsuits have failed because the courts generally demand proof of specific harm, such as fraud tied to identity theft, caused by the breach.
By clearly giving the right to damages for nonmaterial losses, Goodhead says, GDPR has made data breaches “an area of growth for litigation going forward. I think it’s just the first of these cases that we’ll be handling.”
Goodhead also predicts that demand for cyber risk insurance will grow due to the financial exposure data breaches can cause.
How Big Could Settlement Be?
U.K. legal firm Your Lawyers estimates that the lawsuit could result in total compensation of as much as $4 billion, based on average payouts of $8,200 for all British Airways customers affected, with some receiving $22,000. It did not explain the basis of the claims.
But the airlines – and even Goodhead, the plaintiff’s attorney - says those estimates are unrealistic.
Goodhead estimates the lawsuit, if settled or granted a favorable ruling in court, could generate compensation of $1,660 to $2,070 per victim, depending on circumstances. “Some customers will have more financial compromise or inconvenience, canceling credit cards etc.,” he says.
Brendan Quinn, founder of Mighty Trust, a privacy consultancy, notes that individual data privacy claims for immaterial damages in other jurisdictions, such as the Netherlands, have ranged from about $62 to $617. But U.K. courts generally award higher financial compensation for personal injury claims and other cases.