My personal information has been lost after a data breach, what are my rights?

data protection breach

With the number of data breaches and cyber-attacks on the rise, it is essential that you understand your rights. So what do you need to know?

What type of information do organisations hold about me?

Modern organisations hold a tremendous amount of information about us. This could include data such as:

  • your name
  • your address
  • your date of birth
  • your email address
  • your telephone numbers
  • your credit card details
  • your bank details
  • your password(s)
  • your medical records
  • your religion
  • your political allegiances
  • and more.

 Of course, it’s easy to figure out what could go wrong if our financial information gets into the wrong hands. But it’s more complicated than that.

The UK’s data protection laws safeguard your personally identifiable information (PII). PII includes any data that can be used to identify a specific individual; either on its own, or in conjunction with other information an organisation has about us.

If PII gets into the wrong hands, it can be used to undertake identity fraud. For example, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

 What is a data breach?

 A personal data breach occurs when personal information, protected under the law, is destroyed, lost, altered, disclosed or accessed due to a security incident.

It doesn’t matter if this happens accidentally or deliberately. If the confidentiality, integrity or availability of your personal data has been put at risk, then a data breach has occurred.

 If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. The Data Protection Act is the UK’s interpretation of the General Data Protection Regulation (GDPR).

Some of the most common types of data protection breaches include:

  • Where your data has been inadvertently lost, hacked or leaked
  • Where your identity has been stolen to obtain credit cards fraudulently
  • Where your personal data has been sent to someone else without your express permission
  • Where your personal information has been misused or mishandled
  • Where an organisation failed to maintain up-to-date, accurate information about you and this caused you damage.

What is the difference between a data breach and a data hack?

The terms “breach” and “hack” are often used interchangeably. But there are some differences.

  • A data breach refers to any situation where data has been put at risk. A data breach can occur because of hackers and other cybercriminals, or by human error, negligence and poor security processes
  • A data hack is caused by people with malicious intent who break into a company’s systems to steal information.

Hackers do not cause the majority of data infringements, but in each of these instances, data can be exposed and put at risk. As such, identity theft often occurs after a data breach as well as a data hack.

How does an organisation have to respond to a data breach?

There are strict procedures that an organisation must follow if it experiences a data breach that could put your personal data (and therefore you) at risk. This includes informing the regulators that a data violation has occurred and letting you know without undue delay.

Should this happen, you should be told:

  • What has happened
  • The likely consequences
  • What they are doing to respond to the breach and minimise the risk to you
  • Who you can contact for more information.

What to do following a data breach

 If you have been told your data is at risk following a data breach, you should:

  • Contact your bank or card provider if your financial details have been compromised. If you’re not happy with the way your bank deals with your complaint, you can refer it to the Financial Ombudsman Service (FOS)
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phishing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords.

If you find that you have become the victim of cybercriminals following a data breach, you should contact Action Fraud as soon as possible.

Make a compensation claim for damage and distress

To claim compensation, you must be able to prove that you suffered as a result of the breach. This includes financial and medical harm, as well as anguish and anxiety. In many cases, a violation will not cause damage but will cause distress.

While some people would have us believe that claiming for distress is an overreaction, the law doesn’t agree with them.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

Organisations have a duty to protect your sensitive data. And letting other people access our bank accounts is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

Until recently, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases, compensation would not have been awarded for distress alone. However, a recent ruling has paved the way for those affected by data breaches to claim damages for distress, even if they have not suffered any financial loss.

To start a compensation claim

  1. Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  2. Read our handy step-by-step guide to making a data breach claim
  3. If you are offered any form of compensation or free services for not being able to access your funds it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date

Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply