Hayes Connor insights: data breach trends in 2018
Scrutinising the past 12 months, Kingsley Hayes, expert data protection solicitor and MD of Hayes Connor, looks at some of the key trends and insights we are seeing in this evolving area of law.
A lack of care is rife
At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That's in the last six months alone.
These cases saw breaches of personal, financial and sensitive data involving the likes of Ticketmaster, British Airways, Dixons Carphone and Facebook.
Disturbingly, the response provided by many of these large organisations falls short of what we would expect. In many instances, when a breach occurs the accepted risk management plan seems to be:
- Say sorry
- Provide free security monitoring software
- Promise it won't happen again
- Advise the customer that there is nothing that they can do to remedy any losses they might suffer.
Such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.
In 2019 we would challenge businesses to do more to accept their data privacy responsibilities and provide adequate redress where they fail to do so.
If this challenge is not accepted, more and more customers will look for help to protect their privacy, and claim back from organisations where they have suffered loss. Put simply, to avoid the threat of data breach compensation claims, businesses must do more than pay lip-service to the idea of data protection.
The financial impact of data breaches is not immediately apparent
At this stage, it has become clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, at Hayes Connor, we have seen cases where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.
With major breaches now occurring weekly (particularly in the retail sector), we expect this situation to escalate. As such, more must be done to protect customers following a data breach - and this cannot be a short-term fix.
Individuals are becoming more aware of their data protection rights
The introduction of the General Data Protection Regulation (GDPR) in May 2018 coincided with a significant increase in reported data breaches. So it seems that the GDPR has created greater public awareness about individual rights.
Indeed, at Hayes Connor we are currently dealing with over 200 enquiries per month from consumers. Complaints range from the inappropriate use of email to the deliberate or inadvertent disclosure of sensitive, financial, and medical information to third parties.
In most of these cases, the victim of the data breach will have tried to engage with the organisation that has committed the breach and been either rebuffed or provided with a wholly inadequate excuse. In almost all cases the organisation at fault fails to recognise the damage caused by the breach and loss.
The emotional impact of data breaches is not been taken seriously by organisations
You can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.
A personal data breach is a 21st-century version of being burgled. And, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.
According to Victim Support: "The effects of crime can also last for a long time, and it doesn't depend on how 'serious' the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident".
Crucially, the law understands the damage that can be caused by worry and upset. But it doesn't appear that organisations do.
In our experience, companies and their representatives (be they legal or insurance based) are still responding with a pre-packaged "we won't do it again" approach. This fails to recognise the full impact of the breach, which can be significant and of a psychological nature.
We've seen cases where experiencing a data breach has resulted in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. And, like financial losses, this is often happening months after the initial breach was revealed.
As awareness of the impact of data breaches grows, so does the need for the breaching organisation to understand that they must assess each victim as an individual, and understand the repercussions of the offence. One size does not fit all.
The ICO's approach doesn't yet meet the needs of the individual
Over the last few months, we've paid close attention to how the Information Commissioner's Office (ICO) has responded to data breaches.
In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians, and to make sure that organisations take appropriate action in the immediate aftermath of any breach.
While we understand this approach, we also believe that the still ICO requires education on the lasting a full impact of data breaches. Because to date, the experience of the individual is still being downgraded.
As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.
For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made, and despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred. Unfortunately, for those involved in this case, the ICO's response was less than satisfactory. We hope that, as time progresses, so too will the ICO's approach.
The law is evolving when it comes to data protection
Of course, data privacy is still a relatively new area of law. So it's to be expected that it is still evolving. Recently we have seen more emphasis on the relationship between privacy rights and data protection from a legal perspective. And this is good news for individuals as it means we can start a claim based on more than one ground (i.e. for the misuse of private information and for breach of data protection obligations).
Other significant developments include:
- Making it much easier to bring claims for compensation for distress alone (rather than as an add-on to a financial loss claim)
- The courts looking at a wider-range of factors when deciding on appropriate compensation (e.g. the consequences of the misuse of data, what information was breached, etc.)
- The ability to hold organisations to account for data breaches caused by employees, third-parties, etc.
Also, the law now realises how important it is that cases are assessed in detail and on their unique merits.
Ultimately, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too. And, until then, it seems likely that data breach claims will only continue to increase.
If you would like to contact us regarding a data breach case then you can do so here