Blogs & Opinions 29.02.2024

Class Action Lawsuits and Ransomware: A Wake-up Call for UK Businesses

Large-scale data breach class action lawsuits aren’t new, the number of collective actions being filed in the UK is on the rise

Ransomware can now trigger class action lawsuits, which means that ransomware operators expect organisations to pay a higher ransom in order to avoid additional legal complications, warns Richard Starnes

In recent years, the UK has witnessed a notable shift in the legal landscape, particularly in the realm of data protection and cybersecurity.

Traditionally, companies facing data breaches worried primarily about regulatory fines and the costs associated with remediation and reputational loss. However, the recent emergence of class action lawsuits adds a new dimension to the organisational risk posed by cyber attacks.

High-profile cases against companies like British Airways and Ticketmaster in the UK have set the precedent for victims of data breaches to collectively seek compensation, even when individual damages are minimal.

While large-scale data breach class action lawsuits aren’t new, the number of collective actions being filed in the UK is on the rise. But that’s not all. The growth of US-style group litigation actions here in the UK could well influence the activities of financially motivated cybercriminal gangs.

The data breach battleground

Hacks and ransomware attacks may grab the headlines, but growing concern over data security and privacy means more consumers affected by a breach are opting to pursue a mass claim from firms that fail to maintain reasonable security practices and procedures. In addition to this, firms acting on behalf of plaintiffs are becoming more active in this field. As a result, class actions involving thousands of individuals are being issued earlier and often in parallel with statutory proceedings.

This should serve as a wake-up call for UK organisations. Ransomware attacks that lead to data breaches could, in turn, trigger class action lawsuits. This opens the door to a dual threat of facing both regulatory action and class action lawsuits that together increase the potential for financial and reputational damage.

Fuelling the fire: a lucrative market for cyber criminals

Concerns are growing that the prospect of class action lawsuits might inadvertently serve to make companies more attractive targets for cyber criminals motivated by financial gain.

“The expectation is that companies will pay a higher ransom in order to avoid the additional legal complications associated with a class action suit following a data breach”

Knowing that businesses will face increased liabilities following a significant data breach, these attackers will be incentivised to pursue more lucrative ransomware attacks. The expectation is that companies will pay a higher ransom in order to avoid the additional legal complications associated with a class action suit following a data breach.

The motivation behind the proliferation of this economic opportunism isn’t difficult to decipher. Today’s sophisticated criminals are quick to operationalise marketplace trends that make it easier to extort payoffs from cash-rich organisations.

With this in mind, organisations should act now to minimise the risk of a cyber attack and the likelihood of an ensuing data breach class action claim.

Initiate a proactive and risk-based approach to cybersecurity

In this heightened risk environment, UK companies must take their cybersecurity and data protection responsibilities seriously. Compliance with GDPR and other data protection regulations is no longer just a legal requirement; it’s now a critical aspect of the wider corporate risk management agenda.

Appointing a CISO or virtual CISO (vCISO) to oversee information security matters and ensure an appropriate risk mitigation strategy is in place will be a must-have. That includes ensuring that robust technical safeguards and organisational processes are in place to safeguard and protect personal data and that employees are regularly trained in security best practices.

The guiding principles that define how organisations should protect critical information include establishing distinct strategies for information assets according to a risk assessment of the financial, reputational or compliance impact that would result should the integrity, availability or confidentiality of individual data assets be compromised.

Finally, undertaking regular cybersecurity risk assessments will be essential for ensuring that security controls are appropriately set and identifying where improvements in existing information security programmes need to be made.

The time to act is now

The convergence of class action lawsuits and the ransomware market should serve as a wake-up call for UK businesses. In addition to regulatory fines, firms may also find themselves engaging in contentious, complex and costly legal battles that could prove difficult to recover from.

“The convergence of class action lawsuits and the ransomware market should serve as a wake-up call”

Clearly, having the right controls in place to mitigate breach risk is no longer a ‘nice to have’ option. Indeed, the current trend towards class action lawsuits should catalyse UK businesses to elevate their data security measures and ensure that cybersecurity features in their business model risk management frameworks.

To prepare for challenges on the horizon, UK businesses should look to strengthen their information governance measures and implement appropriate cyber security controls. These actions should help minimise the likelihood of exposing sensitive information and mitigate the risk of class action breach litigation.


Richard Starnes is CISO at Six Degrees and has more than 30 years of experience in managing cybersecurity risks, ensuring compliance and protecting digital assets for a range of organisations.  At Six Degrees, he sits on the Board’s audit and risk xommittee to provide strategic guidance on cybersecurity and risk.  He is also on the Board of Directors at the Cyber Resilience Centre for London. Prior to joining Six Degrees, Richard was chief cybersecurity strategist at Capgemini.  He holds a Master of Science in Information Security from Royal Holloway, University of London, a CISSP certification and a Fellowship of the BCS.

Latest articles

Be an insider. Sign up now!