BA data-breach damages suit a key test for GDPR liability
7 October 2019, by Vesela Gladicheva
Was British Airways' cybersecurity so lax that it should be held responsible for its big data breach last year? That's the fundamental case that lawyers for the swelling class of thousands of victims must make to win compensation for them.
Friday, 4 October saw the start of a landmark case expected to run to tens of millions of pounds, when the High Court in London approved the group litigation, initiated by BA itself, for trial.
The case is being keenly watched as the outcome will determine how tough a battle lawyers face in arguing cases for nonmaterial damage under the EU's wide-ranging and strict General Data Protection Regulation.
It's the first example of such a suit, brought into UK law through the Data Protection Act 2018, which transposed the GDPR into the domestic statute book.
BA was told in July by the UK's data-protection watchdog that it likely faced a fine of 183 million pounds ($225 million) for violating the GDPR through "poor security arrangements." The breach saw the exposure of details including names, addresses, logins, payment cards and travel bookings of an estimated 400,000 customers.
Now the litigants, led by London law firm SPG Law, are tasked with showing that BA was liable, as the court assesses the adequacy of the carrier's technical and organizational measures for securing its customers' personal data.
The airline, owned since 2011 by International Airlines Group, flatly denies responsibility for the cyberattack and rejects the findings of the Information Commissioner's Office, the UK's privacy watchdog. BA lawyer Anya Proops told the court the findings were "flawed" and "inaccurate" during a preliminary hearing on Friday.
She sought to persuade the judge hearing the case, Mark Warby, that the airline had faced "enormous pressure" since it discovered the breach in September last year.
She listed the steps BA had taken in response — including notifying customers and the ICO, initiating a forensic investigation and setting up a financial loss reimbursement scheme — and argued that the airline had provided customers with "an additional level of assurances."
Proops described a "demanding process" that BA had gone through over the past year, which included conversations with regulators outside the UK. It had responded to the incident "in a manner that was engaged and responsible," she insisted.
Those points did not speak to BA's security practices in the lead up to the breach, however, and these will be a key focus for Warby once the main trial gets under way, likely to be in 2021.
Another key element in the lawsuit is the number of claimants. So far, about 7,000 individuals have signed up to the litigation — less than 2 percent of those affected by the breach.
Litigators had hoped to significantly increase the class size by asking the court to force BA to e-mail customers about it. Warby rejected that argument on Friday, though, citing current case law to say it was for the law firms representing the claimants to publicize the litigation themselves.
The parties agreed that individuals should have 12 months to join, due to start when the claimants have submitted their "particulars of claim" to the court by Jan. 17.
While the ICO's investigation has been confidential, claimants will see its preliminary findings and proposed fine as indicative of culpability on BA's part.
But the ICO probe and the litigation are separate processes. The court will need to make its own assessment based on the evidence and legal arguments that the parties will present.
A spokesperson for the ICO told MLex today that it has "no plans to intervene in the BA litigation.” That could make it more difficult for the claimants to prove their case.
But if the ICO's final decision does conclude that BA has liability, and then the regulator wins any subsequent appeal by BA, that could well influence the outcome of this lawsuit. It would make it more difficult for BA to prove it did enough to fend off liability for the breach.
That will take time, as the ICO has yet to consult its counterparts elsewhere in the EU, under the GDPR's one-stop-shop mechanism, before finalising its position. Nevertheless, it could be expected to wrap up its investigation in coming months, and the result of any possible appeal would likely be known well before the litigation actually comes to trial.
For the claimants, the focus now that the claim has been approved for trial moves to the availability of evidence and documents about the breach. BA has shared none of these so far, save a description of the breach BA sent the claimants in the form of a "narrative letter" last month.
The claimants' lawyers are anxious to start understanding the issues. On Friday, Warby ordered BA to answer the claimants' questions about its security arrangements and the outcome of its investigations into why it failed to prevent the cyber attack.
"We're largely interested in the same things as the ICO," David Blayney, for SPG Law, told the court on Friday. It plans to send its questions this week, and BA will have until Dec. 13 to respond. The details contained in the documents it delivers could prove the be key to success or failure.
The case reference number is BL-2019-001146 Weaver & ors v British Airways Plc.