A judge has given permission for around 15,000 Scottish drivers to pursue a US-style class action compensation claim against AM100 dealership group Arnold Clark over a dark web data breach in 2023.
Lord Sandison has allowed thousands of consumers to bring group proceedings at the Court of Session, Scotland’s highest civil court, after hearing evidence earlier this year over how the Scottish car dealership had failed to protect customers’ personal information.
Court backs Scottish claims route
In the latest case, a man called Robert Adamson applied to the Court of Session to raise the action for himself and the other drivers following the cyber attack on Arnold Clark’s IT systems in December 2022. The details held by the firm are believed to include copies of passports and drivers’ licences. Names, dates of birth, vehicle details, contact details and National Insurance numbers could also have been taken.
Arnold Clark’s lawyer, Roddy Dunlop KC, had asked for permission not to be granted to the drivers to proceed, telling Lord Sandison that a similar action was being heard at the High Court in London involving other customers. He argued that it would be more appropriate for the Scottish drivers to join in the English action.
However, in a written judgment published by the court on April 16, Lord Sandison rejected the arguments made to him by Arnold Clark’s legal team.
“The application of those legal principles in order to determine the natural forum for the ventilation and determination of the case which the applicant wishes to bring before this case is very straightforward,” he wrote.
“Over 95% of the group members in the proposed litigation are domiciled in Scotland. They entered into a contractual relationship in Scotland with a company registered here, which was governed by Scots law.
“As a consequence of their domicile, the loss and damage for which they seek compensation was suffered, on the hypothesis upon which their case proceeds, in Scotland. Nothing about their situation has any nexus whatsoever with England. The forum with the most real and substantial connection to the dispute, and that which is clearly more appropriate to deal with it, is this court.”
Scale of breach raises concerns
Data protection laws state that people can claim compensation from any organisation that breaches those laws, including for any damage or distress caused.
Solicitors Thompsons told The Sunday Post newspaper it had been approached by more than 5,000 people who had received a letter from Arnold Clark advising them that their personal data had been compromised.
Patrick McGuire, a partner at the firm, told the newspaper: “I think this is the tip of the iceberg. The most financially sensitive data has been posted on the dark web and certainly includes data that would allow criminals to steal people’s identities and open fraudulent bank accounts. Our clients are understandably very worried.”
Solicitors Jones Whyte, which has its headquarters in Glasgow, said it had also been contacted by more than 1,000 people who may have been affected and that this number was “continuing to rise by the day”.
Customers were emailed in late January about the UK-wide hack that happened on December 23 which forced the business to close down its entire computer network on Christmas Eve.
Ensure you always receive AM insights. Make us a preferred source of news on Google