Around 15,000 motorists in Scotland have been granted permission to pursue a group compensation claim against Arnold Clark following a cyber incident that exposed customer data on the dark web. The decision was made by Lord Sandison at the Court of Session, marking one of the more significant data-related group proceedings to emerge in Scotland in recent years. The case centres on claims that the company failed to adequately protect sensitive personal information, leading to widespread exposure after its systems were compromised in late 2022.
Permission granted despite jurisdiction challenge
The court’s decision followed arguments from the company’s legal team, led by Roddy Dunlop, who opposed allowing the Scottish proceedings to go ahead. It was argued that a similar case involving other affected customers was already underway at the High Court in London, and that Scottish claimants should instead participate in that action.
This position was ultimately rejected. In a written judgment, Lord Sandison noted that the vast majority of those seeking to take part in the claim are based in Scotland, which weighed against shifting the case to another jurisdiction. The ruling allows the group proceedings to move forward domestically, reinforcing the use of Scotland’s relatively new collective redress mechanisms.
Potential implications for group litigation
The case is part of a growing number of group actions being heard in Scotland’s civil courts. Previous proceedings have involved claims linked to organisations such as Celtic Boys Club and workers connected to James Finlay. Approval of this action could contribute to shaping how large-scale data breach claims are handled in Scotland and the UK, particularly where most claimants are locally based but related litigation exists elsewhere. It may also influence how companies assess legal exposure following cyber incidents involving personal data.
The 2022 breach and exposed data
The legal action stems from a cyber attack disclosed in December 2022, during which attackers obtained copies of customer data held by Arnold Clark. Initially, the company stated that its data had not been compromised, but later acknowledged that information had in fact been accessed and taken.
According to communications sent to affected individuals, the data potentially included contact details, dates of birth, passport information, driver’s licence records, national insurance numbers, and banking details. The company stated at the time that the nature of the attack made it difficult to determine precisely what had been accessed. It also indicated that external advisors were involved in assessing the scope of the breach.
Company response
Following the incident, Arnold Clark said it had taken steps to address the situation, including offering a two-year fraud and credit monitoring service to affected customers. A dedicated call centre was established, and the company reported that it was rebuilding its IT infrastructure within a newly segregated environment. It also stated that it had been in contact with regulatory authorities and law enforcement during the response process, and that further security updates were being implemented across its systems.
Conclusion
The progression of this group claim marks a notable moment in Scotland’s handling of data breach litigation. With thousands of individuals seeking compensation and the court opting to retain jurisdiction despite parallel proceedings elsewhere, the case may influence how similar disputes are approached in the future. At its core, it reflects the growing legal consequences that can follow large-scale data exposure incidents, particularly where questions are raised about how personal information is managed and secured.
0 Comments