Data breach claims are on the rise.
Recently we participated in a panel on mass claims for data breaches, looking at current issues in the UK, US and the Netherlands, together with our Lex Mundi partner firms Morrison & Foerster and Houthoff.
What is clear is that the risk of data breach claims is increasing across the globe.
A full recording of the webinar is at the link here, and we invite you to listen.
From the UK perspective, here are some headlines.
Recent high profile judgments in the UK have made the route map to bring mass claims for data breach clearer for claimants.
Data breach claims typically involve large numbers of data subjects and are ripe for mass claims by individuals affected, and well as potentially risking significant fines from the UK regulator, the ICO.
These are often the result of cyber attacks, for instance: against British Airways in 2018, resulting in a fine of £20 million and a group claim that was settled in 2021; claims against the Police Federation in England in relation to a cyber attack in March 2019, reportedly involving a database of 120,000 police officers; and most recently a cyber attack involving the Air France/KLM loyalty program which is said to have 17 million members.
One of the key questions that has arisen in UK cases, in particular the highly publicised Lloyd v Google case, is whether a claim can be made simply on the basis of ‘loss of control’ of personal data, or whether claimants need to demonstrate damage or distress which is more onerous.
Another question involves the process by which mass claims in this area can be brought. Court procedure can be a dry subject, but this does have significant repercussions for the funding of these claims, and in turn the risk of them materialising. The English court is showing a desire to enable collective claims for data breach. Less so the Competition Appeal Tribunal in a current case against Meta valued at circa £2.3 billion on behalf of a group of approx. 45 million UK consumers.
Companies holding and processing significant volumes of personal data should be aware of the increasing risks in this area. It is vital to have appropriate retention and security policies and measures in place.
Please get in touch with us to discuss any of these issues and to find out how we can help.
Written by
Related News, Insights & Events

Data Spring Webinar Series: Data Governance Demands in 2025
20/05/2025 - Online webinar
Our upcoming data webinar series will consider key data protection compliance requirements, explore data governance best practice, and highlight key areas of interest for the UK regulator (ICO).

M&S ransomware attack – what can we learn?
Discussing the recent ransomware attacks on M&S and the Co-op Group, highlighting the risks of cyber crime, potential regulatory consequences, and the importance of strong cyber security measures

Cyber security – fin(e)al decisions from the ICO
Highlighting the key ICO findings and what they mean for businesses handling sensitive data, with practical takeaways to help organisations strengthen cyber resilience and reduce regulatory risk.