Data breach claims are on the rise.

Recently we participated in a panel on mass claims for data breaches, looking at current issues in the UK, US and the Netherlands, together with our Lex Mundi partner firms Morrison & Foerster and Houthoff.

What is clear is that the risk of data breach claims is increasing across the globe.

A full recording of the webinar is at the link here, and we invite you to listen.

From the UK perspective, here are some headlines.

Recent high profile judgments in the UK have made the route map to bring mass claims for data breach clearer for claimants.

Data breach claims typically involve large numbers of data subjects and are ripe for mass claims by individuals affected, and well as potentially risking significant fines from the UK regulator, the ICO.

These are often the result of cyber attacks, for instance: against British Airways in 2018, resulting in a fine of £20 million and a group claim that was settled in 2021; claims against the Police Federation in England in relation to a cyber attack in March 2019, reportedly involving a database of 120,000 police officers; and most recently a cyber attack involving the Air France/KLM loyalty program which is said to have 17 million members.

One of the key questions that has arisen in UK cases, in particular the highly publicised Lloyd v Google case, is whether a claim can be made simply on the basis of ‘loss of control’ of personal data, or whether claimants need to demonstrate damage or distress which is more onerous.

Another question involves the process by which mass claims in this area can be brought. Court procedure can be a dry subject, but this does have significant repercussions for the funding of these claims, and in turn the risk of them materialising. The English court is showing a desire to enable collective claims for data breach. Less so the Competition Appeal Tribunal in a current case against Meta valued at circa £2.3 billion on behalf of a group of approx. 45 million UK consumers.

Companies holding and processing significant volumes of personal data should be aware of the increasing risks in this area. It is vital to have appropriate retention and security policies and measures in place.

Please get in touch with us to discuss any of these issues and to find out how we can help.

Written by

Related News, Insights & Events

Dawn Raids – recovery of evidence in Scotland

An overview of the Dawn Raid in Scotland with key implications of the Section 1 order known as Administration of Justice (Scotland) Act 1972.

Cyber Crime in the Trust Economy: Navigating an evolving threat landscape

Read our latest Trust Economy paper here.

Is a ban on payments to hackers the answer to the growing threat of ransomware?

Ransomware continues to be a fast-growing and hugely damaging form of cyber attack. It is believed to have earned criminal gangs over $1billion in 2023 and shows no sign of abating in 2025.

Want to hear more from us?

Subscribe here

Advice for the way we live our lives.

Burness Paull is known globally as the go-to Scottish law firm.

Guide: Doing Business in the UK

Legal insights

For Women Scotland Ltd v Scottish Ministers: Supreme Court rules on meaning of “sex"

Events

Tech & IP Conference 2025: Evolution or Revolution?

Topics

Welcome to Burness Paull.

Human and high-performing

Delivering real change for our clients, people and communities

Responsible business lies at the heart of our decision-making.

Firm news

Burness Paull promotes five lawyers to partner

We believe you’re not a tiny cog in a giant machine.

Vacancies

Looking for a workplace that will value your curiosity, passion, and desire to grow?

Don't settle for standard, help us set new ones.