data breach solicitors
, ,

Can you make a data breach claim against the Crown Prosecution Service?

In May this year, the Information Commissioner’s Office (ICO) issued a £325,000 fine following the loss of recorded police interviews by the Crown Prosecution Service (CPS). The DVDs contained interviews with 15 victims of child sex abuse and were to be used at trial.

Shockingly, the recordings were also unencrypted, and the failure to protect such sensitive information has led to concerns that a “loss in trust could influence victims’ willingness to report serious crimes”.

Such data breaches could also have severe consequences for those affected. So, victims should now be looking to make a data breach claim against the Crown Prosecution Service.

What happened in this case?

In November 2016, the DVDs were sent by tracked delivery from Guildford to Brighton for a trial. But, because the delivery was made outside of office hours, they were left at an office reception in a shared building.

The recordings, which were not sent in tamper-proof packaging, contained highly intimate and sensitive details of the victims, as well as the personal data of the perpetrator, and identified information about other individuals.

It was over a week before the loss was discovered and while the building’s entry doors were locked, deliveries that were left there could be accessed by anyone with admission to the building.

The DVDs and the information contained on them have not been found, so it is unclear what has happened to them and whether anyone has watched them.

To make matters worse, this is the second time that the CPS has failed to take necessary steps to protect sensitive data. In 2015, the CPS was fined £200,000 by the ICO after the theft of laptops containing videos of police interviews uncovered serious security failures by the government body.

What was the result of the latest investigation?

In its judgement, the ICO found that the CPS was negligent by failing to ensure that the videos were kept safe. The CPS was also accused of not taking into account the substantial distress that would be caused if the videos were lost.

Astonishingly the investigation also revealed that while encryption software is available to the CPS, it is not routinely used to protect such evidence.

As a result, as well as the £325,000 fine, the ICO ruled that, due to a lack of proper processes across the organisation, staff training within the CPS was needed immediately.

Stephen Eckersley, head of enforcement at the ICO, said:

“The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.

“The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information.”

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

The latest breach by the CPS is particularly worrying as many of the victims were already vulnerable and had already endured significant distress during their interviews with the police. As such, the loss of these recordings is likely to cause considerable emotional anguish.

What’s more, while the CPS has said that it has now strengthened arrangements to prevent further incidents, its failure to do so following the last data protection breach highlights a shocking disregard for those people it should be protecting. The CPS simply did not make sure that appropriate care was taken to avoid similar breaches re-occurring.

The CPS was aware of the graphic and distressing nature of the personal data contained in the DVDs, but it was complacent in caring for that information and those it is supposed to protect. So it must be held to account.

Victims who had their data accessed were informed about the breach. And, while the CPS has offered to meet victims’ families to apologise, this does not cancel the right to proper compensation.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to make a data breach claim against the Crown Prosecution Service and claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A DATA BREACH CLAIM COMPLETE OUR CONTACT FORM.

make a data breach claim
, ,

Can you make a data breach claim against the British and Foreign Bible Society?

This month, the British and Foreign Bible Society was fined £100,000 for failing to protect the personal data of 417,000 of its supporters. Following an investigation by the Information Commissioner’s Office (ICO), it was revealed that the Society exposed these supporters to possible financial or identity fraud.

While the Society was a victim of a cyber-attack, this does not negate the fact that it failed to take appropriate steps to protect the personal data it was entrusted with.

With data breaches often causing significant distress for those affected, victims of the British and Foreign Bible Society data breach may now want to claim compensation.

What happened in this case?

Between November and December 2016, criminals exploited the weakness of the Society’s computer network – which used an easy-to-guess password – to access the personal data of its supporters.

Using ransomware to encrypt almost one million files, the data compromised included names and contact details, as well as payment card and bank account details for some. Fortunately for the Society, the data had recently been backed up, so it could not be held to ransom. But, many of the files were transferred, copied and extracted by the attacker.

What was the result of the investigation?

During its investigation, the ICO found that supporter details were kept on an insufficiently secured internal network which offered inappropriate remote access rights.

Commenting on the case, Steve Eckersley head of enforcement at the ICO said:

“The Bible Society failed to protect a significant amount of personal data and exposed its supporters to possible financial or identity fraud.

 “Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated.

 “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”

The British and Foreign Bible Society was fined £100,000 for breaching data protection legislation.

What can you do?

Today, many people choose to donate to charities and causes they care about. But, while you might support them in their aims, it is vital that they meet their obligations when it comes to protecting your sensitive data. Where they fail to do this, holding them to account is often the only way to ensure standards are improved. Often such organisations are insured against such data breaches, so you don’t have to worry about the impact of the good work you support.

In this case, the ICO found that the Society’s failure was likely to cause substantial damage or distress to those supporters who had their data stolen.

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

The Society has notified victims who have had their payment details stolen, but it is not clear if those who had other personal data put at risk were informed. However, modern cybercriminals are increasingly sophisticated and such information can be used to carry out identity theft and fraud, so it is vital you are told.

What’s more, it doesn’t matter if criminals haven’t used your data. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. If you are not sure if your information was compromised, we can find this out for you. We can also help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A DATA BREACH CLAIM COMPLETE OUR CONTACT FORM.

 

 

data breach compensation
, ,

Can you make a data breach claim against Nottinghamshire County Council?

Last year, Nottinghamshire County Council was fined £70,000 by the Information Commissioner’s Office (ICO). The fine came after the Council left the personal information of vulnerable people it was supposed to protect exposed for five years.

The sensitive data included the gender, addresses, postcodes and care requirements of 3,000 elderly and disabled people.

Such failures could have severe consequences for those affected. So, victims should now be looking to make a data breach claim against Nottinghamshire County Council. 

What happened in this case?

In 2011, Nottinghamshire County Council launched its Home Care Allocation System. This was an online portal which allowed social care providers to confirm that they were able to support a particular person.

However, five years later, a member of the public informed the Council that the unprotected directory could be accessed via a simple online search. During this time the data could have been viewed by anyone. With no need to log in. And, although the service user’s names and house numbers were not included, it would have been possible to identify them.

This situation is particularly worrying as the data contained in the system could have been used by criminals to target vulnerable people. It could also have been used to alert criminals about when people were in hospital, and when their homes were sitting empty.

What was the result of the investigation?

The incident has been called a serious and prolonged breach of the law by the ICO. The investigation also found that, despite having the financial and staffing resources available, the Council overlooked the need to put robust measures in place to protect people’s personal information.

Calling the data protection breach “totally unacceptable and inexcusable”, the ICO said that the distress to services users was likely to be substantial. Particularly given the sensitive nature of the personal data and the vulnerability of the people involved. For example, the report into the breach states that “elderly and vulnerable service user may worry that a thief or burglar would use the information to prey on her whilst at home or in hospital.”

Furthermore, the ICO has agreed that such concerns are entirely justifiable, even if they never actually happen.

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

Central and local government bodies handle some of our most sensitive personal data, and we have the right to expect this will be looked after and kept safe. As such, organisations such as Nottinghamshire County Council must start to look after our data as carefully as they would their own money or offices.

Very often, the only way to ensure they do this is by claiming compensation for data protection breaches and holding them to account.

What’s more, it doesn’t matter if there is no evidence that the data has been used to carry out identity theft or fraud. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

While Nottinghamshire County Council informed the ICO as soon as the failure was uncovered, because it occurred before the General Data Protection Regulation came into force in May 2018, it was not obligated to tell individuals if their data was breached. So, you may not know if your sensitive information was put at risk. But if you are in any doubt, it’s worth finding out, and we can do this for you.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to make a data breach claim against Nottinghamshire County Council and claim the maximum amount of compensation in the minimum amount of time. We can do this on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A DATA BREACH CLAIM AGAINST NOTTINGHAMSHIRE COUNTY COUNCIL COMPLETE OUR CONTACT FORM.

data breach solicitors
, ,

Can you make a data breach claim against the Carphone Warehouse?

Earlier this year, the Carphone Warehouse was fined a whopping £400,000 following a cyber-attack. The assault on the company’s computer systems compromised customer and employee data and uncovered severe failures in Carphone Warehouse’s data security systems.

The data protection breach put the personal data of over three million customers and 1,000 employees at risk. Including the historical payment card details for some 18,000 customers.

The £400,000 fine is one of the biggest ever handed out by the Information Commissioner’s Office (ICO).

Data breaches often have severe consequences for those affected. So, customers and employees of the Carphone Warehouse should now be looking to claim compensation.

What happened in the Carphone Warehouse data breach case?

In 2015, a Carphone Warehouse computer system fell victim to a cyber-attack. The data breach affected the company’s online division which operated the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites.

The attack took place after the assailant made a scan of the system using a commonplace penetration tool. The tool looked for things such as outdated software and other vulnerabilities. Uncovering that such weaknesses did exist with a WordPress website, the scammer exploited this to access the system, and the customer and employee data.

While Carphone Warehouse did have processes in place to monitor cyber threats, staff were not alerted to the attack until 15 days after the system was first compromised. This timelapse further highlighted the lack of adequate security measures in place at the company. In fact, according to the ICO, the “number of distinct and significant inadequacies in the security arrangements for the System is striking”.

What was the result of the investigation?

In its judgement, the ICO found that the Carphone Warehouse data breach significantly affected the privacy of those involved. It also said that if the data was misused, it was likely to cause substantial damage or distress.

“The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.

“The law says it is the company’s responsibility to protect customer and employee personal information.

“Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.

“There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined.

“But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees”.

In failing to do this, the ICO found that the severity of the Carphone Warehouse data breach merited a £400,000 fine.

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.

 

, , ,

Can you make a data breach claim against the Bayswater Medical Centre?

The Bayswater Medical Centre has been found guilty of a serious data protection breach. The London based GP and healthcare provider has been fined £35,000 by the Information Commissioner’s Office (ICO) after it left highly sensitive medical records, registration forms and repeat prescription information unsecured in an empty building for a year and a half. The data was left on decks, in unlocked cabinets, on windowsills, and in bins.

With medical data breaches often having severe consequences for those affected, patients of the Bayswater Medical Centre may now be able to claim compensation.

What happened in this case?

The breach occurred after the Bayswater Medical Centre vacated a practice but continued to use the building for storage. The failure to protect sensitive patient data was only discovered after another GP practice visited the site to take over the lease.

Perhaps most worryingly, despite repeated warnings from the new surgery and a local Clinical Commissioning Group, Bayswater Medical Centre did nothing to collect and secure the sensitive information.

Concerns were escalated to NHS England (NHSE). And, when officers investigated the building, they found that “it would have been apparent to anyone looking through the window that the premises were abandoned and patient files left littered throughout the premises with windows left ajar with potential access”. Medical records were also left on a windowsill, with the blinds not closed and the window not secure. NHSE also reported that the building was secured by a single lock, and had no other physical security measures such as an alarm. In fact, just one week after the records were eventually removed, the building was broken into.

What was the result of the investigation?

The ICO has called the breach a “serious contravention” of data protection legislation that could lead to serious damage and distress for victims. In fact, the ICO said that any concerns by patients went beyond mere irritation and that fears about data falling into the wrong hands were understandable – even if such fears didn’t actually happen. As such, the ICO found that the severity of the breach merited a £35,000 fine.

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

What’s more, it doesn’t matter that the data remained secure in the building and didn’t fall into the hands of criminals. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

If you registered with Bayswater Medical Centre before July 2015 (even if you have since moved to another practice), and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

Before the General Data Protection Regulation came into force in May 2018, organisations were not obligated to tell individuals if their data was breached, so, you may not know if your medical records were put at risk. But if you are in any doubt, it’s worth finding out, and we can do this for you.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.