British Airways Faces Class-Action Lawsuit Over Data BreachGDPR Privacy Law Lets Breach Victims Seek 'Non-Material Damage' Compensation
British Airways has been threatened with a £500 million ($650 million) class-action lawsuit in U.K. court following its warning last week that a hacker had stolen payment card data associated with 380,000 transactions, one of the worst breaches to ever come to light in the country (see Hacker Flies Away With British Airways Customer Data).
See Also: Ransomware Recovery in the 'New Normal'
The possibility that a breached business might face a class-action lawsuit in the U.K. is tied to the EU's General Data Protection Regulation, which went into full effect in May. While GDPR requires organizations to notify relevant authorities quickly about any suspected breach - typically, within 72 hours - and to maintain appropriate data security controls, it also gives Europeans new compensation rights.
SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman, on Monday said that it was planning to launch the £500 million group action - the British version of a class-action lawsuit - unless the airline opts to settle.
"Unfortunately, this is the latest in a number of catastrophic failures in BA's IT systems," says attorney Tom Goodhead, a partner at SPG Law, in a statement. "Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA is liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account."
The Data Protection Act is the U.K.'s national data privacy law. The latest version, which went into effect in May, includes but is not limited to all GDPR requirements.
BA Promises to Cover Direct Losses
British Airways declined to comment on the lawsuit. But it has previously said that all victims of the breach, which lasted for 15 days, will face no out-of-pocket losses.
"No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website, ba.com, and the airline's mobile app," the airline tells Information Security Media Group in a statement. "The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018."
Lawsuit Seeks Non-Material Damage Compensation
On Thursday, British Airways began warning customers that hackers had stolen payment card details used to purchase or change 380,000 tickets. The airline promised to cover any fraudulent losses experienced by customers that were not covered by their payment card issuers.
But SPG Law says that under GDPR, breach victims have a right to further compensation and that BA should compensate victims for the "inconvenience, distress and misuse of their private information" caused by the breach.
Specifically, GDPR states: "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
SPG Law says that it believes that each breach victim may be able to claim up to £1,250 ($1,600), in part because their payment card details were current at the time of the breach.
SPG Law says that if British Airways chooses to not settle, it will apply to the court for a group litigation order, which would allow it to combine multiple victims' claims into a single lawsuit.
Why U.S. Breach Suits Typically Fail
Seeing a data breach lead to a threatened class-action lawsuit in the U.K. is a watershed, made possible thanks to GDPR. But class-action lawsuits are common elsewhere.
Indeed, SPG Law says law firms in the U.S. have successfully won compensation for consumers in a number of large U.S. data breach cases, including against Anthem, Target, Wendy's and Yahoo. They're also in the process of pursuing claims from such firms as Equifax, Excellus BlueCross BlueShield and Premera Blue Cross.
But the vast majority of consumers' data breach lawsuits in the United States have been dismissed after judges ruled that the "plaintiffs bar" - the group of attorneys representing plaintiffs - failed to prove that victims suffered an actual or threatened injury, under what's known as Article III standing.
Organizations that suffered a data breach will typically pay a settlement in cases that appear to be going against them, in part to avoid setting a disadvantageous precedent, legal experts say. If breached organizations settle, attorneys acting on behalf of consumers have received up to 60 percent of the value of the overall settlement (see Why So Many Data Breach Lawsuits Fail).
Apology from BA
Meanwhile, British Airways has apologized to customers for the breach. "We understand that this incident will cause concern and inconvenience," it says. "We have contacted all affected customers to say sorry, and we will continue to update them in the coming days. British Airways will not be contacting any customers asking for payment card details, any such requests should be reported to the police and relevant authorities."
The airline says its investigation continues. "British Airways continues to investigate with the police and cyber specialists, and has reported the data theft to the Information Commissioner."
The Information Commissioner's Office is the U.K.'s data privacy authority and responsible for enforcing GDPR. The ICO says its inquiries into the breach are continuing.