On the same day that BA announced that 380,000 of its customers had potentially been affected by a breach involving website and app customer data, SPG Law, announced the launch of a group compensation claim against the airline based on Article 82 of the GDPR.
The website www.badatabreach.com was created within hours of the breach being announced to help advertise its services.
A ‘no win, no fee’ claim will be brought by way of a Group Litigation Order action with an estimated £1250 available for each claimant. Whether or not regulators decide to fine BA, the company is one of the first to face the prospect of co-ordinated compensation claims since the GDPR took effect in the EU in May 2018.
On 30th November 2018 the Marriott chain announced it had been the victim of a large cyber breach dating back to 2014 showing the Hotel & Leisure sector is also exposed to these risks. The French data protection regulator, CNIL, published a report in October 2018 showing 742 data breaches that had been notified to it since GDPR went live in May 2018 the sector most frequently affected was the hotel sector (185 notifications made were from the sector).
Some businesses may also need to be aware of laws around the Network & Information Systems (NIS) Directive’s Digital Service Provider’s definition, for instance, because they act as an online market place. They will need to consider the incident notification requirements and large maximum fines (£17m in the UK) applicable under those laws.
The BA and Marriott breaches highlight the potential risks posed by group litigation and by GDPR and NIS Directive fines, and the need for those in the Travel and Hotel & Leisure sectors to ensure that their compliance programs are set broadly enough to cope with all three.