British Airways flying high as data-breach compensation claim settles

British Airways have managed to (largely) draw a line under what is thought to be the biggest claim for a data breach in British legal history – ending in a settlement between the company and most of the individuals bringing a claim against it.

Like many others, we have been closely watching the fallout from British Airway's (BA)  data breach in 2018 and the ensuing investigation by the Information Commissioners Office (ICO).  

BA's approach to navigating the fallout from that breach has been central to setting expectations in the market as to the costs of failing to comply with GDPR on account of the extent of the breach (personal data belonging to over 420,000 customers and employees was leaked), its status as the first significant GDPR fine announced by the ICO and the much reduced nature of that, still record breaking, fine (£20 million, down from £183 million).

Follow on litigation has become a key threat to companies in the event of a data breach. In response to BA's breach, a group action was filed in April 2020 by 16,000 claimants alleging that the attack had failed on account of BA failing to put in place appropriate security measures. The claimants sought compensation for distress and/or pecuniary loss and/or loss of control of data resulting from the leaking of their names, addresses and card payment details. 

It was announced this week that BA has now reached a settlement with a number of those claimants following mediation. The sum has not been disclosed, though it is thought that the payouts could be up to £2,000 per person. The terms of the settlement remain confidential; however, it is understood that no admission of liability has been made by BA. It is also unclear at this stage how many of the 16,000 affected claimants will receive compensation for the damages, or how this settlement is to be divided among the many claimants.  

While the settlement appears to include most of the claimant group, including those represented by PGMBN, the lead firm on the group litigation order (the GLO), it has not entirely resolved the litigation against BA. A firm acting for a smaller group of claimants within the GLO have stated in media reports on the settlement that they did not participate in the settlement discussions. It also remains open for further individuals to bring claims against BA, though they will either require the court's permission to join the GLO (the deadline having passed on 11 June 2021) or bring a claim separately, in which case their claim will be stayed pending the resolution of the GLO.

A number of implications flow from this settlement. Most particularly, this result is indicative of the growing role that mediation can play in the resolution of future data breach claims and the attractiveness of that route for claimant law firms. With data breaches becoming increasingly common and penalised among major businesses the ease with which a claimant firm can extract value for its claimants through ADR will only embolden claimant law firms and the third party funders backing them to continue to bring data class actions, whatever the result in Lloyd v Google.

We have covered the BA investigation and related litigation in previous articles relating to the credibility of the ICO's processes here, the initial announcement of the intended fine here, the long awaited fine by the ICO  here and our analysis of the key points set out in the ICO's decision here and here. The BA case has also presented an interesting outcome in relation to the recovery of costs by law firms, we reported on the High Court ruling here.