British Airways has settled a legal claim by some of the 420,000 people affected by a major 2018 data breach.
The breach affected both customers and BA staff. The data lost included names, addresses, and payment-card details.
The Information Commissioner’s Office handed BA its largest fine to date, of £20m. The justified the fine stating the “unacceptable” failure to protect customers. However, the settlement did not include any admission of liability.
While collective legal action is not as common in the UK as similar class-action suits in the US, group actions do happen. Law firm Pogust, Goodhead, Mousinho, Bianchini and Martins earlier this year said the BA compensation claim had become “the largest group-action personal-data claim in UK history”, with more than 16,000 affected people involved.
In July of 2021, PGMBM, the lead firm in the action, announced the settlement. This included compensation for “qualifying claimants who were part of the litigation”.
However, because the terms of the settlement are confidential, it is unclear how many of the 16,000 will receive compensation. We also don’t know how much BA will end up paying.
The ICO’s multi-million-pound fine “did not provide redress to those affected”, PGMBM chairman Harris Pogust said. “This settlement now addresses that.”
British Airways issued a brief statement saying it was “pleased we’ve been able to settle the group action”.
It apologised to customers and reiterated its stance it had acted promptly when it had discovered the problem.
The settlement may now draw a line under the long-running and high-profile data breach.
However, the consequences of the claim may have far-reaching effects for businesses. The fines issued by the ICO will never compensate the victims. It is the same in the criminal world. Therefore, the legal profession will continue to hunt down businesses who mistreat the data of their clients. Indeed, compensation claims will represent a greater threat to business than the ICO ever will.
Therefore, it is even more important for businesses both large and small to demonstrate compliance. As part of this process, better data protection practices should be introduced to your business. A review of your IT will be part of this compliance process. This in turn should reduce the risk of a data breach by up to 70% if carried out to the Cyber Essentials standard.