We speak to Aman Johal about the latest developments in data breach law
What’s your role at Your Lawyers?
Lawyer and Director.
You specialise in compensation claims so what is the most high-profile case you’ve handled?
I’m on the Steering Committee for the Volkswagen Emissions Action, which is set to be the biggest ever consumer Group Action in England and Wales. I’m acting for a claimant group of over 10,000 people and am representing a claimant group of over 55,000 people. This includes owners of 1.2million vehicles in the UK who can claim for the human, environmental and financial impact of Volkswagen’s installation of their illegal defeat devices. With a potential average claim of £8,500 per vehicle, I estimate there could be potentially £10.2bn to be claimed.
I’m at the forefront of several high-profile cases in the new and developing cutting-edge area of law for breaches of the Data Protection Act and the GDPR. For example, I am representing a number of victims of the 56 Dean Street leak, where almost 800 users of a sexual health clinic had their confidential medical status disclosed to each other.
I’m also representing victims of the significant Equifax data breach of 2017, where some 15 million people worldwide (700,000 in the UK) were subject to sustained data exposure as a result of a failure by the company to patch a known security vulnerability. In addition, their systems failed to identify the ongoing breach.
What’s been your biggest success in recent years?
In terms of recent actions, to date I have recovered over £1.3m in damages for claimants in the PIP breast implant scandal against numerous clinics, credit providers and regulators. Overall, I have represented thousands of clients for personal injury and clinical negligence cases, including multiple loss-of-limb injury claims, severe brain injury claims, and other catastrophic and complex legal cases.
I also successfully won an unprecedented and historic litigation against London law firm, Harcus Sinclair, concerning the VW action. I won a High Court injunction against the firm who were subsequently debarred from acting in the VW emissions action until 2022. This case is believed to be the first of its kind in a group litigation – removing a firm purporting to represent 45,000 claimants from the litigation.
You’re currently representing consumers following the recent BA data breach scandal. What’s the latest on that?
I’m taking BA on to fight for customers affected by this data breach on a No Win, No Fee basis and I’m confident I can succeed. BA has confirmed it will compensate those suffering financial loss as a result. However, they are not the only people we consider are entitled to compensation. We’re urging people to sign up to the class action if they’ve been affected to claim damages for their distress and the loss of control over their information, which could be up to £1,250 or more per person. A factor that is important to address in this is that full card numbers, expiry dates and security (CVV) codes were exposed together with personal information. Victims of the breach are at an immediate risk of fraud, and they could remain at risk of future identity fraud for a long time.
We must also factor in the accumulative affect these data breaches are having. Imagine being a victim of TalkTalk’s famous data breach, having your data exposed in the Equifax hack, and then having your payment card data skimmed in both the Ticketmaster and the BA data breach.
In your view, what do cases like these say about how big companies deal with our data?
It tells me that big companies are simply not doing enough. I have seen a huge increase in data leaks, data breaches and data hacks; the alarm bells have been ringing for years. In the context of the British Airways breach, the Equifax breach referenced earlier is significant. Not only was this a warning to organisations last year about the need to ensure data security, but when you rely on a company like Equifax as a credit reference agency who have already been hacked, and you then have your payment details hacked in the BA breach, you’re at risk on multiple fronts. This has to be considered in terms of the ongoing and continual risks BA data breach victims can be exposed to.
In particular, the recent Ticketmaster breach – which I’m also bringing an action for – was another warning that hackers will target payment systems. This breach was discovered just a month before the BA data breach, and there were clear warnings that payment systems could be the target. How did BA fail to act?
This latest data breach – which has compromised hundreds of thousands of customers’ personal and payment data – demonstrates that big companies like BA are still not taking their data security responsibilities seriously enough. I would expect any organisation, let alone the UK’s biggest airline, to take far more care to ensure that sensitive payment information is protected. The writing has been on the wall for years, and with so many recent breaches that ought to have served as a catalyst for change, big companies are still not treating data security as a priority.
Until the news hits the press that BA have paid a billion pounds (on current estimations) in fines and legal bills, I would not be confident that big companies will react how they ought to in the wake of this latest breach.
What should they be doing to better protect data?
Any organisations which have yet to tighten up their security ought to be frantically working on it now. Chief Executives need to look at data security in the same way they consider their organisation’s profitability, because they are interlinked. The cost of a GDPR fine plus the costs of legal claims could jeopardise an entire business; not to mention the loss of revenue as more and more customers lose faith in the business
Although BA have suggested that they will co-operate by compensating those left out of pocket as a result of the hack, it is a case of too little too late. The protection of customer data should have been a priority, and this breach shows there were clearly holes in the safeguarding systems that hackers were able to exploit.
What are the most common reasons for a data breach?
Cyber-attacks are common, and they often succeed because of weak security. Last year’s WannaCry incident was the perfect example of how targeting outdated systems that often don’t have the latest security patches can result in mayhem for businesses and public sector organisations like the NHS.
Human error – from the top of a business down – is commonly a factor in this, and is often linked to a lack of training as well as inadequate policies and procedures. It only takes one person failing to patch a known security vulnerability, as we saw in the Equifax breach, for millions to fall victim to a data incident. It only takes one piece of coding in a payment system to be manipulated for payment data to be skimmed. It only takes one employee to accidentally send an email to hundreds of people that exposes private and sensitive data.
Businesses need to ensure they are offering the right support for employees to get them up to speed with data protection and also employing the right staff to deal with data security operations. They also need to have the right systems in place to safeguard the data they hold.
Has GDPR made an impact and did it go far enough?
The BA data hack is one of the biggest breaches of sensitive customer information ever, and the worst I am aware of in the new GDPR era. The sanctions that can be imposed for breaches of the GDPR could mean that BA may face a fine of £500m with the cost of potential legal action on top. That cost alone could cost around £475m on current estimates.
I believe we are just seeing the tip of the iceberg. GDPR should have made an impact, but as we have already seen, BA and Ticketmaster have suffered huge breaches after the new rules came into force. This suggests organisations are still not listening, and there may be more and potentially even bigger hacks to come.
When the first business is hit with a significant GDPR fine it will be a real wake-up call. Perhaps the BA data breach is the watershed moment the UK and EU businesses needed. We will have to wait and see whether this particular hack, and the fines imposed on BA as a result, are enough to teach others to buck up their ideas.
Do you believe the law is on the consumer’s side or is more legislation required to protect them?
The new GDPR rules should be enough for any organisation to know they have a duty to protect consumer data. The legislation is there, but it’s only just come into force. The BA and the Ticketmaster breaches are signs that organisations have not reacted well enough to GDPR. We may need to see it applied for organisations to finally realise that they must treat data security seriously. We are at the precipice of a digital revolution and those responsible for businesses need to properly consider legislation.