The risks to businesses of civil claims arising out of data breaches have been underplayed. Data litigation is on the rise and the exposures are potentially significant.
In this briefing, we explore the key defences to such claims and the arguments available – in light of the emerging case law – to challenge the large amounts being claimed by data subjects in damages.
2020 has seen a significant number of data claims being issued in the English courts. Following British Airways’ announcement in 2018 that there had been a breach of its security systems leading to more than 500,000 customers’ data being leaked, claimants have issued claims which could be worth up to £3 billion.
The ICO penalty notice handed down this month, for £20 million, is comparatively small. In Lloyd v Google LLC [2019] EWCA Civ 1599, a representative action on behalf of an estimated 4.4 million individuals (at £750 per individual), Google’s potential liability is for £3.3 billion, excluding costs. And after a data breach affecting Starwood Hotels’ guest reservation database led to the loss of 300 million individuals’ data, an action has been commenced against Marriott International which could cost it £1.7 billion.
