BA case may open floodgates for psychological claims

Legal action against British Airways over last year’s data breach will be the test case for whether lawyers can prove customers have suffered psychological injury or distress as a result of having their personal information compromised, and, if successful, could leave other brands wide open to huge compensation payouts.
The writing has been on the wall for years. As far back as October 2017, Decision Marketing reported on the emergence of an army of “no win, no fee” compensation lawyers seeking to exploit GDPR data breaches.
At the time, Robert Bond, a partner at law firm Bristows, predicted: “The area we foresee [being used] is emotional distress – having ambulance-chasing lawyers saying, ‘have you lost sleep because your data might have been exposed?’ You can imagine, if a million people make a claim of £1,000 each, that dwarfs any of the other fines.”
This was confirmed last month by legal firm Hayes Connor, which is wooing British Airways customers to join a group action. Last year it emerged that hackers had stolen details of 500,000 customers, including 380,000 bank details. Customer information which was compromised included name, billing address, email address and card payment information, including in tens of thousands of cases CVV security code.
Hayes Connor managing director Kingsley Hayes said: “We have a client who has been demoted at work following an incident which compromised their confidential medical records. Another has been prescribed medication by their doctor in order to cope with the aftermath of their private information wrongfully being sent to an ex-partner leading to the loss of access to their children.
“These are just two examples of many where a data breach has led to…the mental wellbeing of the affected individual being negatively impacted. There is little recognition amongst the organisations that we act against of the resulting mental health issues.”
While admitting “each case is different”, Hayes Connor says it expects to claim up to £5,000 per person, SPG Law is not quite so bullish, insisting claimants “could be eligible for up £2,000 or more”. However, others insist victims could receive as much as £16,000 each in cases where psychological injury is extreme, while average compensation payments for distress could reach £6,000.
Yet even despite this potential payday – as well as a huge online ad campaign by legal firms – it has been reported that only around 6,000 potential claimants have contacted lawyers with a view to claiming compensation.
One industry source said: “Let’s not forget that there has yet to be a successful UK class action to claim compensation over a data breach, with the Morrisons case [dating back to 2015] still ongoing.
“Lawyers have struggled to prove financial loss but whether ‘mental health’ issues will be any easier to demonstrate on such a huge scale remains to be seen. The BA case will be the real test but it could open the floodgates.”
The move comes amid claims that BA is “swerving responsibility” for the breach by trying to limit compensation payouts for victims. The airline has now applied to launch its own class action for victims but it includes a 17-week time limit for claimants to join.
Law firm Your Lawyers has branded the time limit imposed on the class action a “disgrace”. It said that previous group litigation orders had been applied for by claimants, not defendants, and that in large consumer actions a court would never allow such a short recruitment window unless BA could guarantee that all affected customers have been notified.
However, BA said it had been working with specialist cyber forensic investigators and the National Crime Agency to fully investigate the data theft.
“It was a law firm representing prospective complainants who suggested the time frame (of 17 weeks), and this will have to be agreed by the court,” it said. “It does not prevent customers joining the group claim at a later date.”