Adobe StockA judge has given permission for around 15,000 drivers to pursue a US-style class action compensation claim against Arnold Clark over a dark web data breach.
Lord Sandison has allowed thousands of consumers to bring group proceedings at the Court of Session, Scotland’s highest civil court.
He has heard evidence about how many customers of the Scots car dealership believe it didn’t do enough to protect their personal information.
They instructed lawyers after their data emerged online following a cyber attack on Arnold Clark’s IT systems in December 2022.
Lord Sandison gave permission to proceed following hearings at the court earlier this year.
It is the latest set of group proceedings to be heard at the Court of Session. Previous cases have involved former players of the Celtic Boys Club and Kenyan tea pickers who worked in the African country for James Finlay, a company founded in Scotland in 1750.
Arnold Clark’s lawyer, Roddy Dunlop KC, asked for permission not to be granted to the drivers to proceed.
He told Lord Sandison that a similar action was being heard at the High Court in London involving other customers.
Mr Dunlop, the Dean of the Faculty of Advocates, argued that it would be more appropriate for the Scottish drivers to join in the English action.
However, in a written judgment published by the court on Thursday, Lord Sandison rejected the arguments made to him by Arnold Clark’s legal team.
He wrote: “The application of those legal principles in order to determine the natural forum for the ventilation and determination of the case which the applicant wishes to bring before this case is very straightforward.
“Over 95% of the group members in the proposed litigation are domiciled in Scotland.
“They entered into a contractual relationship in Scotland with a company registered here, which was governed by Scots law.
“As a consequence of their domicile, the loss and damage for which they seek compensation was suffered, on the hypothesis upon which their case proceeds, in Scotland. Nothing about their situation has any nexus whatsoever with England.
“The forum with the most real and substantial connection to the dispute, and that which is clearly more appropriate to deal with it, is this court.”
Data protection laws state that people can claim compensation from any organisation that breaches those laws, including for any damage or distress caused.
Solicitors Thompsons told The Sunday Post newspaper it had been approached by more than 5,000 people who have received a letter from Arnold Clark advising them that their personal data had been compromised.
Patrick McGuire, a partner at the firm, told the newspaper: “I think this is the tip of the iceberg. The most financially sensitive data has been posted on the dark web and certainly includes data that would allow criminals to steal people’s identities and open fraudulent bank accounts.
“Our clients are understandably very worried.”
Solicitors Jones Whyte, which has its headquarters in Glasgow, said it had also been contacted by more than 1,000 people who may have been affected and that this number was “continuing to rise by the day”.
Associate Dominic Ritchie, who heads up the data breach claim for the firm, said: “We are in the process of building a strong case and will be looking for significant compensation from Arnold Clark for our clients.”
Customers were emailed in late January about the UK-wide hack that happened on December 23. The company said it closed down its entire computer network on Christmas Eve.
The details held by the firm are believed to include copies of passports and drivers’ licences. Names, dates of birth, vehicle details, contact details and National Insurance numbers could also have been taken.
Arnold Clark, which has its headquarters in Glasgow, has almost 200 dealerships across Scotland and England. It has not said how many customers have been contacted. Those affected have been offered a two-year subscription to an identity-fraud-checking service.
The company said it had taken several steps to protect partners and customers following the cyber attack, including setting up a call centre with its credit reporting agency partners, Experian.
“Upon advice from our cybersecurity team, we understand that some personal data has been extracted by the hackers who carried out the cyber attack,” the company told customers.
“We take the protection of your personal data extremely seriously, and we want to assure you we are doing everything we can to minimise any risk to you from this incident.”
In the latest case, a man called Robert Adamson applied to the Court of Session to raise the action for himself and the other drivers.
Lord Sandison wrote that Arnold Clark had appealed his finding allowing permission to proceed, and he had written a judgment to explain his decision.
He wrote: “After hearing parties, I granted the permission and authorisation sought.
“The respondent has now exercised its right to reclaim against the grant of permission (but not of authorisation), and it is therefore necessary to set out in writing the reasons for my decision to grant permission.”
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country
