Hayes Connor highly commended as boutique law firm of the year

We are delighted to announce that Hayes Connor Solicitors was highly commended at the Eclipse Proclaim Modern Law Awards in the boutique law firm of the year category.

The prestigious awards, which are now in their sixth year, celebrate and identify sparkling talent and success in the modern legal services arena. They also showcase and set the benchmark for best practice in the ever diverse, challenging and exciting legal landscape.

The event organisers were overwhelmed with nominations this year, receiving more submissions than ever, so it is a significant achievement by our firm.

The boutique law firm of the year category honours firms that specialise in a niche area of law. In our case, data breach and cybercrime.

The judges made their award based on the following criteria:

  • A practice that has performed exceptionally in terms of establishing itself in its chosen market
  • A firm that has demonstrated extensive development and progress as a business, including, but not limited to; strategy, growth, financial performance, employee development, diversity and training
  • An innovative practice that has demonstrated its ability to creatively and effectively compete with multi-practice firms
  • A practice that exceeds the expectations of basic client care and professionalism.

The award ceremony took place on Thursday 31st January in Victoria Warehouse, Manchester.

Commenting on the accomplishment, Kingsley Hayes, managing director at Hayes Connor said: “Our core aim is to help our clients get the redress they deserve following data protection breaches, cybercrime, and other online offences. And, despite an almost entirely online approach, Hayes Connor Solicitors has fast become one of the most recognised names in the sector.

“Over the past 12 months, our firm has established itself as the only niche provider of legal services in the data protection, GDPR and cyber fraud area. This is all we do, and we have become a true specialist in this area of law. We are thrilled that we are being recognised for our achievements in his area.”

As well as the boutique law firm of the year commendation, Hayes Connor was also shortlisted in the Marketing and Communication Strategy of the Year category. This class looks at firms which have shown exceptional originality and innovative thinking in this area.

We were shortlisted based on the work we have done to establish our position as a thought-leader in data breach and cybercrime legal services; informing and educating consumers on their rights.

While we are disappointed to miss out on this award, we recognise the strength of this category and congratulate the winner.

data breach

Charity data breaches double over past two years

According to figures obtained from the Information Commissioners’ Office (ICO), the number of reported data breaches from charities has doubled. In 2017/18 there were 148 data security incidents referred to ICO by charitable and voluntary organisations. That’s a 100% increase over two years.

The rise in charity data breaches reflects a growing trend across all sectors. In fact, over the past two years, general business has seen a 215% increase and education and childcare organisations a 142% rise. On average, the number of reports across all sectors has grown by 75%.

The figures were obtained by risk management firm Kroll via a Freedom of Information Act request.

The General Data Protection Regulation (GDPR), which requires organisations to report data breaches is thought to be a key factor in the increase of reports. And it is likely that we will continue to see a dramatic increase in data breach accounts now that self-reporting is mandatory.

A Kroll spokesperson said: “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK”.

Charity data breaches in the spotlight

Earlier this month it was revealed that a review of eight charities by the ICO uncovered many concerns around data monitoring, reporting and training. As the charities involved voluntarily took part in the ICO risk review, they have not been named.

In addition, earlier this year the British and Foreign Bible Society was fined £100,000 for failing to protect the personal data of 417,000 of its supporters. Following an investigation by the Information Commissioner’s Office (ICO), it was revealed that the Society exposed these supporters to possible financial or identity fraud.

With data breaches often causing significant distress for those affected, victims of the British and Foreign Bible Society data breach may now want to claim compensation. Find out more about this case.

Making a charity data breach claim

Many people donate to charities and causes they care about. But, while you might support them in their aims, it is vital that they meet their obligations when it comes to protecting your sensitive data.

Where they fail to do this, holding them to account is often the only way to ensure standards are improved. Often charities and organisations are insured against data breaches, so you don’t have to worry about the impact of the good work you support.

What’s more, it doesn’t matter if criminals haven’t used your data. If the data breach has caused you stress or anxiety, then the law agrees that you are entitled to compensation.

If you are worried that a charity has put your data at risk in any way, find out more about making a data breach compensation claim, or contact us today for a free initial assessment.



Bank sends credit card statements to the wrong person

Financial crime is a hot topic at the moment, with stories about push payment fraud and takeover fraud leaving people worried about what could happen if they became the victim of a bank scam.

But in many cases, its human error rather than cybercrime that is the biggest cause of financial data breaches. And, these errors are just as likely to happen offline.

In a recent case, our solicitors saw the impact of what can happen when a person’s financial information was sent to the wrong address by mistake.

What happened in this case?

In this data breach, a bank sent partial credit card statements to the wrong person. The information was sent to a completely different person to the account holder (our client), attached to the back of a bundle of documents she had requested.

Luckily, in this instance the woman who received our client’s statements was honest, and despite being a complete stranger she contacted him to let him know what had happened. She also reported the incident to her local branch, although she was not satisfied with how the bank proposed to deal with the matter. If such a simple error can be made, what’s to say it couldn’t happen to other customers?

As a direct response of this admin error, this data breach has caused considerable distress and worry to our client. He has now lost confidence in his bank and can’t be sure if his sensitive and personal data has been further breached.

Lessons learned

Banks, credit card providers and other financial institutions need to do more to protect sensitive financial data.

All too often staff are involved in such data breaches, so employee training and awareness must form a core part of any security strategy and measures.

If you are an employee of a financial organisation and want to make sure that you don’t make a similar mistake, talk to your employer about any processes that can be put in place to make sure that this doesn’t happen to you. Such steps could include things like additional data protection training, secure systems for storing information, checks and balances on systems generating correspondence, and measures to ensure that the correct information is being sent to customers.

This is especially important if you deal with sensitive financial information which could cause serious harm if it falls into the wrong hands.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.


Sharing data? Think before you do

With human error the leading cause of data breaches, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses communicate the importance of information security to staff.

At Hayes Connor, we’re sharing some of the tips included in this toolkit to raise awareness of the importance of this issue, and to help organisations across the UK improve their data protection processes.

Tip: All information you work with has value. Share it appropriately

The risk of data sharing  

We live in a data-driven world, so it’s not unusual for us to share our personal information with organisations. Not least because sharing this data tends to make life easier and more convenient. But it’s vital that our data is only used in ways we would expect, and that it is kept safe.

In a recent case, we saw the impact of what can happen when a gym provided a woman’s personal details – including her home address- to another customer who shared her name by mistake. This error led to considerable distress, upset and even fear.

Quick tips

  • Employers must understand the importance of data protection and make sure that strict policies and procedures are put place to ensure the safe processing of information – both in and out of the office
  • In many cases, data breaches can be avoided by staff abiding by the data protection principles of their businesses. But it is up to employers to make sure that all staff receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws
  • Organisations must do more to protect personal information. For example, by designing systems that only allow the relevant people to have access
  • Every staff member accessing personal records should provide a reason for doing so.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

breach compensation
, ,

Making a compensation claim helps to address the real-life impact of data breaches

At Hayes Connor Solicitors, we help our clients to make compensation claims after their data has been put at risk by the organisations they trust to look after it.

In some cases, these data breaches are massive news stories following hacks against the likes of Ticketmaster, Equifax and British Airways. But, every day, we also help people come to terms with smaller data breaches that have a severe and often lasting impact on them.

But, although we believe that these organisations must be held to account for their failure to protect our personal information, all too often people who make a data breach claim are accused of “trying to get something for nothing”. So let’s set the record straight.

The impact of cybercrime can be devastating

Cybercrime can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

Following last year’s Ticketmaster data breach, 63% of all the clients we took on suffered multiple fraudulent transactions on their payment cards.

Worryingly, getting your money back following a scam is not always easy. For example, in a recent example of takeover fraud, a customer of the Royal Bank of Scotland (RBS) had more than £4,300 stolen from her account despite the fraudulent caller answering one of her security questions incorrectly. Despite the failure in their processes, the bank maintained that the customer was aware of the transaction and refused to refund her. Find out more about this case.

Claiming for distress isn’t an overreaction

Even if you haven’t lost out financially after a data breach, this doesn’t mean that there is “no harm done.”

A personal data breach is a 21st-century version of being burgled. If a criminal came into your home and stole your private information, you would be distressed. So why should you feel any less upset at having your online data taken?

Following last year’s Ticketmaster data breach, 31% of all our clients involved in this case suffered from distress and/or psychological trauma as a result of having their card details stolen and used in fraudulent activity.

Being the victim of a crime can have a significant impact on you mentally and physically. Of course, everyone reacts differently, but for some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

According to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Even smaller data breach cases can have a huge impact. For example, in a recent case, our solicitors saw the impact of what can happen when sensitive information was sent to the wrong address by mistake.

Thankfully, over the last few years, people are waking up to the reality of mental health and there is a greater awareness about the lasting effects of psychological suffering and anguish. Crucially, the law agrees and recognises the amount of damage that can be caused by having your information stolen.

Holding organisations to account could be the only way to ensure they take your security seriously

The sheer scale of the information we share with organisations is enough to leave us all open to the threat of fraud, anxiety and stress. So it’s no surprise that we are worried about what could happen if this data gets into the wrong hands. As such, something has to be done to make companies accountable for any harm done.

Cybercriminals are becoming more and more sophisticated. But this doesn’t let these organisations off the hook. If they have done everything in their power to protect your data and have robust security processes and procedures in place, it is unlikely that a claim would be successful. In fact, this is why we usually wait for the results of an investigation by the ICO before starting a claim.

But the reality is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. So claiming compensation isn’t just in your best interests, the only way these organisations will be persuaded to take their responsibilities seriously and make the necessary improvements is by hurting their bottom line.

The real-life impact of data breaches

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.


Online defamation and libel: know your rights

Defamation is a bit of a hot topic at the moment. Earlier this year, writer and food blogger Jack Monroe won a libel action against Katie Hopkins, and was awarded £24,000 damages, for tweets which suggested that Monroe approved of defacing a war memorial during an anti-austerity demonstration in Whitehall. As a result of the fine, Hopkins had to apply for an insolvency agreement to avoid bankruptcy. Libel is a form of defamation.

Other instances where defamation has been brought into the public eye include where high-profile celebrities or businesspeople have brought an injunction to prevent the publication of material that would be damaging to their reputation (so-called gagging orders).

If you have been the victim of online defamation, it’s vital that you know your rights and what you can do to protect your reputation and achieve redress.

What is defamation?

Defamation is an all-encompassing term that covers any statement that damages someone’s reputation.

A defamatory statement can be made in:

  • Verbal form. This is classed as slander because only the spoken word is involved. Slander can be difficult to prove
  • Written form. This is classed as libel. A case for libel is easier to bring because evidence can be documented.

Defamation makes an ordinary person modify their opinions of another person as a direct result of hearing or reading the statement. Under UK law it is possible to defame businesses as well as individuals. A person that has suffered a defamatory statement can sue the person that made the statement under defamation law.

What is libel?

Online defamation tends to involve libel. You could accuse someone of libel against you if they:

  • Sent an email, or an email attachment defaming you, where that email is widely posted or forwarded
  • Made defamatory material available via a web page
  • Posted defamatory material to an email list or newsgroup
  • Streamed defamatory audio or video.

Anyone who actively transmits defamatory material may also be liable as part of any legal action.

What about freedom of expression?

It is accepted in a democratic society that individuals have a right to express their views and preferences. The internet offers great potential to do this.

Defamation is an abuse of this freedom of expression; where untrue statements may have a harmful impact on a person’s reputation.

It is critical to ensure that unfounded claims should not be allowed to damage a person’s reputation, but it is also vital for the law to balance such protections with the rights to freedom of expression. As such, the issue of defamation has become a much contested topic.

Of course, there is a balance to be had between one person’s right to protect their good name and another person’s freedom of speech. However, if someone has made an untrue statement about you, which was published on the internet, and which caused you injury, then you are entirely in your rights to sue for online defamation.

, ,

Human error rather than cybercrime biggest cause of self-reported data protection breaches

Human error rather than cybercrime biggest cause of self-reported data protection breaches

According to the Information Commissioner’s Office (ICO), the number of reported data protection breaches has almost doubled since April this year.

The increase has happened since the introduction of the General Data Protection Regulation (GDPR) on May 25th. Under the GDPR the self-reporting of data breaches is now mandatory. As such, we can expect to see this increase in data breach reporting to continue to rise.

However, despite fears about cybercrime, human error is seven times more likely to cause data protection breaches than hackers.

According to data released under the Freedom of Information Act, out of 2,124 self-reported data breaches in 2017-18, fewer than 300 were because of cybercrime.

Common causes for these data violations include:

  • Data sent to the wrong recipient
  • Loss of theft of paperwork
  • Failure to redact data
  • Failure to use bcc when sending an email
  • Unencrypted devices being lost or stolen

Worryingly, while cybercrime is not responsible for most data protection breaches, reported cybersecurity incidents have increased by 31% over the same period. Of these attacks, malware, phishing and ransomware were the most common culprits.

Which sectors report the most data protection breaches?

The sectors most affected by data protection breaches are:

  • Healthcare with 1,214 data breach reports (this sector was already subject to self-reporting before the GDPR)
  • General business with 362 data breach reports
  • Education and childcare with 354 data breach reports
  • Local government with 328 data breach reports.

In total, taking into account self-reported breaches and complaints from elsewhere, the ICO received a staggering 21,019 data protection concerns in 2017/18.

What can you do if you are the victim of a data protection breach?

The ICO can impose hefty fines on organisations that don’t meet their obligations under the Data Protection Act. The biggest fine it has issued so far is for £400,000, but that was made before the new GDPR rules. However, the ICO does not award compensation to victims.

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. At Hayes Connor Solicitors, we’ve been helping people to do just that for over 50 years, so we know what it takes to make a successful data breach compensation claim.

Crucially, the law recognises the potential damage that is caused by psychological suffering. So, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

Our expert, friendly team will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you.

If we believe you have a substantial, complex case, we’ll go through your options with you and may be able to act for you on a NO WIN, NO FEE basis. For smaller claims, our quick assessment form will help you to start your claim, quickly and easily. So you can be sure of receiving your compensation in the shortest possible time.

We can help you to claim compensation for data protection breaches, data leaks, human rights breaches, and the misuse of personal information.

At Hayes Connor Solicitors, we understand that making a compensation claim can be stressful; especially where your sensitive information has already been breached. That’s why we remove the jargon from the process and make sure you always know what’s happening with your case. Of course, it goes without saying that our process is fully compliant with ICO guidance and we never put your details at risk.



ICO guidelines. Know your GDPR rights

Unless you have been living under a rock, you will have heard about the General Data Protection Regulations (GDPR). Under the GDPR, any organisation that handles personal information such as names, email addresses, phone numbers, and payment details has to put robust measures in place to keep this safe.

The GDPR forms part of the data protection regime in the UK and works alongside the new Data Protection Act 2018.

The more you know about the GDPR, the easier it is to make sure you hold organisations to account when it comes to keeping your data safe.

On the Information Commissioner’s Office (ICO) website you can find a wealth of information and advice on the GDPR.

For example, did you know that you have the following rights?

The right to be informed if your personal data is being used

This includes things like why an organisation is using your data, how it is using it, what type/types of data it is using, how long the data will be kept, if it shares this data with any third parties, and more.

The right of access to your data

You have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).

You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used. In addition, at Hayes Connor Solicitors, many of our clients make SARs to start the compensation claim process following a data breach.

Find out more about making a SAR.

The right to get your data corrected or deleted

You can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected, added to, or deleted. The ICO provides a handy template to help you to raise any concerns about your data.

The right to limit how organisations use your data

You can limit the way an organisation uses your personal data. To exercise your right you should make your request directly to the organisation in questions and be clear why you want the data to be restricted.

 In some circumstances you can also object to an organisation using your data at all. For example you have the right to stop an organisation using your data for email marketing.

The right to data portability

You have the right to get a copy of your personal data from an organisation. You might want this data to pass to another organisation and so it must be provided in a way that is transferrable if at all possible.

Find out more about your rights on the ICO website.

At Hayes Connor Solicitors we are committed to making sure that people across the UK understand their data protection rights, and know what they can do when these rights have been ignored, overlooked or abused.

If you have suffered damage or distress caused by an organisation breaching any part of the GDPR/Data Protection Act, you also have a right to claim compensation. At Hayes Connor Solicitors, we’ve been helping people to do just that for over 50 years, so we know what it takes to make a successful data breach compensation claim.


data breach trends

Hayes Connor insights: data breach trends in 2018

Scrutinising the past 12 months, Kingsley Hayes, expert data protection solicitor and MD of Hayes Connor, looks at some of the key trends and insights we are seeing in this evolving area of law.

A lack of care is rife

At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That’s in the last six months alone.

These cases saw breaches of personal, financial and sensitive data involving the likes of Ticketmaster, British Airways, Dixons Carphone and Facebook.

Disturbingly, the response provided by many of these large organisations falls short of what we would expect. In many instances, when a breach occurs the accepted risk management plan seems to be:

  1. Say sorry
  2. Provide free security monitoring software
  3. Promise it won’t happen again
  4. Advise the customer that there is nothing that they can do to remedy any losses they might suffer.

Such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.

In 2019 we would challenge businesses to do more to accept their data privacy responsibilities and provide adequate redress where they fail to do so.

If this challenge is not accepted, more and more customers will look for help to protect their privacy, and claim back from organisations where they have suffered loss. Put simply, to avoid the threat of data breach compensation claims, businesses must do more than pay lip-service to the idea of data protection.

The financial impact of data breaches is not immediately apparent

At this stage, it has become clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, at Hayes Connor, we have seen cases where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

With major breaches now occurring weekly (particularly in the retail sector), we expect this situation to escalate. As such, more must be done to protect customers following a data breach – and this cannot be a short-term fix.

Individuals are becoming more aware of their data protection rights

The introduction of the General Data Protection Regulation (GDPR) in May 2018 coincided with a significant increase in reported data breaches. So it seems that the GDPR has created greater public awareness about individual rights.

Indeed, at Hayes Connor we are currently dealing with over 200 enquiries per month from consumers. Complaints range from the inappropriate use of email to the deliberate or inadvertent disclosure of sensitive, financial, and medical information to third parties.

In most of these cases, the victim of the data breach will have tried to engage with the organisation that has committed the breach and been either rebuffed or provided with a wholly inadequate excuse. In almost all cases the organisation at fault fails to recognise the damage caused by the breach and loss.

The emotional impact of data breaches is not been taken seriously by organisations

You can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

A personal data breach is a 21st-century version of being burgled. And, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

According to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Crucially, the law understands the damage that can be caused by worry and upset. But it doesn’t appear that organisations do.

In our experience, companies and their representatives (be they legal or insurance based) are still responding with a pre-packaged “we won’t do it again” approach. This fails to recognise the full impact of the breach, which can be significant and of a psychological nature.

We’ve seen cases where experiencing a data breach has resulted in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. And, like financial losses, this is often happening months after the initial breach was revealed.

As awareness of the impact of data breaches grows, so does the need for the breaching organisation to understand that they must assess each victim as an individual, and understand the repercussions of the offence. One size does not fit all.

The ICO’s approach doesn’t yet meet the needs of the individual

Over the last few months, we’ve paid close attention to how the Information Commissioner’s Office (ICO) has responded to data breaches.

In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians, and to make sure that organisations take appropriate action in the immediate aftermath of any breach.

While we understand this approach, we also believe that the still ICO requires education on the lasting a full impact of data breaches. Because to date, the experience of the individual is still being downgraded.

As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.

For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made, and despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred. Unfortunately, for those involved in this case, the ICO’s response was less than satisfactory. We hope that, as time progresses, so too will the ICO’s approach.

The law is evolving when it comes to data protection

Of course, data privacy is still a relatively new area of law. So it’s to be expected that it is still evolving. Recently we have seen more emphasis on the relationship between privacy rights and data protection from a legal perspective. And this is good news for individuals as it means we can start a claim based on more than one ground (i.e. for the misuse of private information and for breach of data protection obligations).

Other significant developments include:

  • Making it much easier to bring claims for compensation for distress alone (rather than as an add-on to a financial loss claim)
  • The courts looking at a wider-range of factors when deciding on appropriate compensation (e.g. the consequences of the misuse of data, what information was breached, etc.)
  • The ability to hold organisations to account for data breaches caused by employees, third-parties, etc.

Also, the law now realises how important it is that cases are assessed in detail and on their unique merits.

Ultimately, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too. And, until then, it seems likely that data breach claims will only continue to increase.

If you would like to contact us regarding a data breach case then you can do so here

Merry Christmas

We would like to wish all our clients and followers a very Merry Christmas