Data breach claims are on the rise.

Recently we participated in a panel on mass claims for data breaches, looking at current issues in the UK, US and the Netherlands, together with our Lex Mundi partner firms Morrison & Foerster and Houthoff.

What is clear is that the risk of data breach claims is increasing across the globe.

A full recording of the webinar is at the link here, and we invite you to listen.

From the UK perspective, here are some headlines.

Recent high profile judgments in the UK have made the route map to bring mass claims for data breach clearer for claimants.

Data breach claims typically involve large numbers of data subjects and are ripe for mass claims by individuals affected, and well as potentially risking significant fines from the UK regulator, the ICO.

These are often the result of cyber attacks, for instance: against British Airways in 2018, resulting in a fine of £20 million and a group claim that was settled in 2021; claims against the Police Federation in England in relation to a cyber attack in March 2019, reportedly involving a database of 120,000 police officers; and most recently a cyber attack involving the Air France/KLM loyalty program which is said to have 17 million members.

One of the key questions that has arisen in UK cases, in particular the highly publicised Lloyd v Google case, is whether a claim can be made simply on the basis of ‘loss of control’ of personal data, or whether claimants need to demonstrate damage or distress which is more onerous.

Another question involves the process by which mass claims in this area can be brought. Court procedure can be a dry subject, but this does have significant repercussions for the funding of these claims, and in turn the risk of them materialising. The English court is showing a desire to enable collective claims for data breach. Less so the Competition Appeal Tribunal in a current case against Meta valued at circa £2.3 billion on behalf of a group of approx. 45 million UK consumers.

Companies holding and processing significant volumes of personal data should be aware of the increasing risks in this area. It is vital to have appropriate retention and security policies and measures in place.

Please get in touch with us to discuss any of these issues and to find out how we can help.

Written by

Related News, Insights & Events

Sanctions Spotlight – Summer 2025

11/08/2025

This sanctions update looks at key regime and legal changes, UK sanctions enforcement activity, and ownership and control issues.

A guide to the ECCTA ID verification process

31/07/2025

A step-by-step guide to verify your identity online to comply with the identity verification (IDV) regime introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

What’s in scope? OPRED’s new guidance on scope 3 emissions issued

04/07/2025

Supplementary guidance has been issued by the Department for Energy Security and Net Zero for assessing the effects of downstream scope 3 emissions on climate from offshore oil and gas projects.

Want to hear more from us?

Subscribe here Subscribe here

Advice for the way we live our lives.

Burness Paull is known globally as the go-to Scottish law firm.

Guide: Doing Business in the UK

Legal insights

Summary of Employment Rights Bill implementation

Events

Data and the digital economy: Managing risk and making the most of opportunities

Topics

Welcome to Burness Paull.

Human and high-performing

Delivering real change for our clients, people and communities

Responsible business lies at the heart of our decision-making.

Firm news

Burness Paull invests to support sustainable growth as it embarks on new three-year strategy

We believe you’re not a tiny cog in a giant machine.

Vacancies

Looking for a workplace that will value your curiosity, passion, and desire to grow?

Don't settle for standard, help us set new ones.