BCL partner Julian Hayes and Legal Assistant Guevara Leacock's article titled ‘TalkTalk and BA Data Breaches – The Lasting Aftershocks!' has been published by Lawyer Monthly.

Here's an extract from the article:

“The dust has not yet settled on the Information Commissioner's fine imposed on British Airways (BA) in October 2020, but the company now faces the largest group claim over a data breach in the UK's history. A similar claim has been brought against TalkTalk following a 2014/15 cyber-attack on the telecoms giant, though in that case far fewer people were affected. With not only hefty regulatory fines and reputational damage but also the threat of expensive civil litigation for data breaches, the pressure is on for data controllers and processors to check they are doing enough to protect their customers personal data.

Security Lapses

What originally led to the BA and TalkTalk claims? In 2014, telecommunications giant TalkTalk, suffered a serious data breach when contractors in India gained unauthorised access to the personal data of 21,000 of their customers. A further, even more serious, data breach took place in October 2015 when the company suffered a cyber-attack and the data of over 156,000 customers were stolen, including the bank account details of thousands of customers. In the 2018 BA incident, the flagship airline was targeted by hackers who accessed the personal data of over 500,000 of its customers. The ICO fined TalkTalk £500,000, at the time the maximum which the data watchdog could impose, whilst BA received an eye-watering £20million penalty even after a significant discount.


Introduced in 2018, Article 82 of the GDPR provided an EU-wide legislative mechanism for those suffering damage as a result of a data breach to seek compensation from relevant data controllers/processors. Whilst the UK officially left the EU on 31 December 2020, those who may have hoped our departure from the EU would lead to an immediate lessening of data protection obligations have been disappointed. The pre-Brexit data protection framework has survived largely intact, and Article 82 has been replicated in the UK's version of the GDPR, now in force.

Article 82 provides that a person who has suffered material or non-material damage as a result of a data breach shall have the right to claim compensation. Financial loss is not necessary to found a claim and mere distress suffices, potentially opening the way to a variety of imaginative claims. What is more, any person who has suffered damage as a result of the data breach may bring a claim, extending opportunity beyond data subjects who are directly affected by a breach. Little-used provisions also exist allowing suitably designated representative bodies to bring claims on behalf of data subjects, an area on which the Government is currently consulting, and which looks set for future expansion.

To ensure claimants are effectively compensated, the GDPR provides that where both a controller and a processor involved in the same processing are jointly responsible for any damage, then each of them is jointly and severally liable. Claims may be brought against them irrespective of fault, though those found liable on this basis may issue third party proceedings to recover damages from those directly responsible.”

This article was originally published by Lawyer Monthly on 29/01/2021. You can read the full version on their website.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.