British Airways had a serious data breach in 2018 and, in 2019, the English High Court authorised a class-action lawsuit against BA, covering potentially 500,000 affected customers.
Marriott’s acquisition, Starwood, had suffered a major data breach that started prior to the 2016 acquisition. Marriott’s pre-acquisition due diligence failed to identify the hack, and Marriott now faces a class action lawsuit; 339 million guest records were affected, so this is a potentially huge lawsuit.
While class-action lawsuits have long been a staple of the USA justice system, they are relatively new to the UK. They are, though, here to stay – UK law firms are prepared to take on these sorts of actions, and litigation funders – financial organisations that fund lawsuits in exchange for a share in the award – are increasingly interested in the opportunities presented by data breaches.
So, even if the ICO appears to move incredibly slowly to finalise financial penalties in respect of GDPR data breaches, the private sector moves more quickly and the consequent potential financial damage – as well as the associated reputational damage and management diversion – look to be much greater.
Could you be next? That depends on how cyber-secure you are.