Posts

Hayes Connor highly commended in innovative marketing award

Data breach and cybersecurity specialist Hayes Connor Solicitors was highly commended for its innovative marketing at The Symphony Legal Annual Conference held in Hinckley in September.

The firm was recognised for its client focused approach to marketing with its use of technology to simplify the enquiries process and increase speed of response, alongside its content and PR strategy to raise awareness of consumers’ data protection rights, highly commended.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “We strive to deliver excellent customer service and this involves the whole process from educating consumers on their data privacy rights through to making it easy for individuals to make a claim following a data breach which may have an impact on them financially and psychologically either now or in the future.

“We were delighted to be recognised amongst our peers during a period of significant growth with the team growing from just four to twelve in the past 12 months alone.”

Rich Dibbins, digital strategy consultant and judging panel member at Symphony Legal said: “Hayes Connor demonstrated that it has successfully positioned itself as a consumer champion in the data protection space. We were impressed with the firm’s client focused approach to marketing and business development placing clients at the heart of everything the firm does.”

Hayes Connor Solicitors was also Highly Commended for Boutique Firm of the Year at the Modern Law Awards held in January 2019.

The firm was recently appointed as data protection supplier to the Communication Workers Union and is currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.

 

Today’s Legal Cyber Risk, 13th September 2019

Kingsley Hayes raised concerns about data protection on mobile phones following news that a serious cyber security risk had been exposed affecting one billion smartphones. The significant gap in security was only identified following an independent third party’s research.

Exposure of smartphone security risk demonstrates a worrying trend

Cybersecurity firm Check Point recently exposed a serious vulnerability in smartphones using the android mobile operating system which would allow a hacker full access to an individual’s emails with one simple text. *

Android is the most popular operating system globally with the research identifying that 1 billion smartphones were vulnerable to a cyber attack via a text message that could not be differentiated from an authentic message from the network operator.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “The finding demonstrates a worrying trend of businesses only realising lax cybersecurity when it is exposed by a third party. This indicates that implementing robust preventative measures, and regularly reviewing cybersecurity, is still not top of the agenda – as it should be – for far too many organisations

“As most of us are now heavily reliant on our mobile phones for work and personal purposes, it is disconcerting that it has taken an independent third party to expose the lack of cybersecurity on such a significant number of smartphones.

“It is extremely worrying that such a serious failure in robust cybersecurity was not identified and prevented by the network operators themselves.

“The consequences to an individual of a hacker gaining full access to the emails on their phone can be far reaching. With many using their smartphones for both business and pleasure, a cyber attack could potentially cause significant harm – both to the individual and their employer.

“It is quite shocking to consider the ramifications of a hacker having full access to a wealth of private data contained within emails. Offline, this would be equivalent to giving a burglar the keys to someone’s house allowing them to open all their personal post dating back potentially years.

“The financial and psychological impact of a malicious attack, made so easy by network operators in this instance, can result in serious consequences such as identity theft, financial fraud and more.

“What this news also reveals, sadly, is that cybersecurity is still not being taken seriously enough by businesses. The high sales and heavy usage mobile phone sector should arguably be proactively leading the way in cybersecurity.”

The news revealed that the smartphones affected are Samsung S9, Huawei Pro, LG G6 and Sony Xperia with reports confirming that both Samsung and LG have since introduced a fix.

Hayes Connor Solicitors was recently appointed as data protection supplier to the Communication Workers Union. The firm is currently acting for thousands of customers with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.

*https://bit.ly/2lLGOKX

Today’s Legal Cyber Risk, 10th September 2019

We commented following the exposure of a data breach by Teletex after it was discovered that thousands of customer calls had been stored unsecured for three years. The calls contained customers’ postal and email addresses, phone numbers and dates of birth. Kingsley Hayes comments that the latest breach is a stark reminder that storing private information in the cloud does not mean that that data is automatically secure. 

SAR Requets
, ,

Metropolitan Police failing to respond to subject access requests

You have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR). The ICO (the UK’s data protection regulator) has been working with the Metropolitan Police Service (MPS) to address its large SARs backlog. However, the MPS has more than 1,100 open requests. With nearly 680 over three months old. The ICO believes that this is a cause for concern.

What has happened in this case?

The ICO has issued two enforcement notices ordering the Metropolitan Police Service to respond to all SARs by September 2019. The regulator has also asked the MPS to “make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.”

The ICO added, “Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations”.

What do you need to know about making a subject access request?

Find out how to make a Subject Access Request on the ICO website.

Crucially, when it comes to making a subject access request, the ICO has stated that there is “no requirement for a request to be in writing”.

What can you use a SAR for?

You can use a SAR to find out:

  • What personal data an organisation holds about you
  • Whether an organisation is processing your personal data
  • How the organisation got hold of your data
  • The types of personal data being processed
  • Why your data is being processed
  • Any third parties that your data is being shared with
  • How long your data will be kept for
  • How you can have your data amended or deleted
  • Whether they use any automated decision-making processes
  • Any other supplementary information.

Of course, it could take longer for an organisation to supply everything they have about you. So, if you only need certain data and you want to speed things up, it makes sense to be specific.

The ICO has provided a handy template to help you to do this.

What else do you need to know about making a subject access request?

  • Organisations should provide contact information for making a SAR. Under the GDPR, this information should be available on an organisation’s website (check the privacy policy usually found in the footer)
  • Requests can be responded to electronically (as long as it is secure)
  • You can ask for a paper copy of the data held about you, but a company only has to provide this if it is reasonable to do so
  • SARs need to be replied to within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this
  • Organisations must make you aware of any delays which may affect their requests. They should also explain how the situation is being addressed
  • Organisations can ask for further information to establish your identity, particularly where sensitive data is involved. However, such requests must be “reasonable and proportionate”
  • A copy of your personal data should be provided at no cost to you. Although “reasonable” fees can be charged for manifestly unfounded or excessive requests
  • An organisation can refuse a SAR if they believe it to be ‘manifestly unfounded or excessive’. They may also deny a SAR if your data includes information about another individual. However, they can’t just ignore you. They must still write to you and explain why your SAR is being refused
  • You have a legal right to ‘rectification’ of your records. So, if something in your data is wrong, you can ask to have it corrected. Organisations have one month to respond to your request
  • If you are worried about the way an organisation is handling your information, the ICO has provided a handy letter template to help you to raise your concerns.

What can you do if you don’t believe your SAR has been taken seriously?

If you believe any fees to be unfair, you can complain to the organisation in question. However, if the matter is not resolved, you should report your concerns to the ICO.

If more than a month has passed since you made your SAR, and you have not heard anything back, you should write to the organisation reminding them of your request and their obligations under the GDPR. And, if you still don’t hear back, you should complain to them using their complaints process. And, if you are not happy with their response, you can complain to the ICO.

If you think your request has been rejected unjustly, you can raise a complaint with the organisation in question. And if you remain dissatisfied, the ICO.

If the organisation refuses to change their records, you can complain to the ICO. However, there’s a difference between information that is incorrect and information that you disagree with. For example, if you have a dispute with your doctor over a diagnosis, you can’t change your health records. However, you might be able to add a note to this record stating that you disagree with the medical opinion.

If you believe that an organisation is not handling your data properly, you can also complain to the ICO.

Find out more about Subject Access Requests.

Data protection solicitors

At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.

Teletext data breach exposes risk of cloud storage usage

It was announced last week that Teletext, the trading name for package holiday firm Truly Travel, had risked customers’ personal data following the discovery that 212,000 customer call recordings had been left on an unprotected server for three years*.

The recordings took place between April and August 2016 with many including details of holiday bookings exposing postal and email addresses, phone numbers and customers’ dates of birth.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “This latest breach exposes the risk of using cloud storage without ensuring that the information is held securely. Cloud services are not secured by default and this may prove a significant risk to businesses who may be unaware of this.

“It has been reported that the audio files were unsecured for a three year period exposing Teletext customers to potential identify theft and other fraudulent activity over a lengthy period. Any private data held by a company, regardless of the format of that information, needs to be stored, processed and shared securely – this includes any historic archived files that can easily be forgotten.

“Companies are starting to be more savvy about data protection post GDPR however, historic practices may leave them vulnerable to potentially hefty fines and compensation claims.”

Hayes Connor Solicitors was recently appointed as data protection supplier to the Communication Workers Union. The firm is currently acting for thousands of customers with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.

*https://bit.ly/2jZ3kiU

Today’s Legal Cyber Risk, 29th August 2019

The majority of data breaches occur due to preventable human error. We featured on Today’s Legal Cyber Risk commenting on a report exposing that while employees are recognised by businesses as the greatest risk to data protection, it appears that many are still not providing adequate preventative measures, including educating staff.

data breach compensation
, ,

What is included in a data breach compensation claim?

As data protection solicitors, one of the things we regularly get asked by people who have suffered because of a data breach is “what can I claim for”?

Data breaches can and do cause serious and lasting damage. To claim compensation, you must be able to prove that you suffered as a result of the breach. And, while each case is judged on its own merits, there are some things we would typically look for when it comes to recovering damages for victims of a data breach.

Financial losses

With enough information, cybercriminals can use your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Evidence of financial losses include things like receipts, bank statements etc.

Distress

Even if you haven’t lost out financially after a data breach, this doesn’t mean that there is no harm done. A data breach can have a significant impact on you, both mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. When it comes to any psychological effects we may be able to arrange for a medical consultation to help prove your claim.

A number of our clients have suffered life changing consequences following a data breach. In many cases these clients have been examined by experts and have a confirmed diagnosis. Failing to acknowledge the impact a data breach can have on poor mental health is a mistake.

How much data breach compensation can you claim?

Data breach compensation following data hacks and confidentiality breaches can range from a few hundred pounds to tens of thousands of pounds.

For example, someone whose medical records were stolen could be entitled to £6,000. If you do go to court, it is up to the judge to consider all the circumstances, including the seriousness of the breach and the impact on you.

Typically, we would look to claim for:

  • Any money lost (e.g. if a cybercriminal used your bank card)
  • Stress, worry, and anxiety
  • Any recognised psychological injury
  • The effect that the leak has had on your social and home life
  • Any loss of earnings as a direct result of the breach (e.g. if you need time off work or lose your job)
  • The loss of future earnings (e.g. if you have to drop out of university)
  • Any expenses that you have had to pay as a result of the data breach (e.g. private medical care, travel expenses, accommodation, etc.).

How do we prove your claim?

Once you have told us that you want to make a data breach or cybercrime compensation claim, we will send you our initial documentation pack. This sets out what we will do for you, how we will do it, and what we need to proceed with your claim.

Within this pack, you will also find our data breach questionnaire. This lets you tell us as much about your case as possible. We ask you to complete this to best of your ability.

The type of questions we ask include:

  • When the data breach took place
  • When you found out about the data breach
  • What information was stolen/put at risk
  • If you have reported the data breach (e.g. to the ICO, the police etc.)
  • If you have you received any documentation admitting the breach (and if so, when)
  • Whether the organisation that put your data at risk has given you a reference number
  • If you have suffered any distress as a result of the data breach. And if so have you spoken to your GP about this
  • Whether you have any pre-existing vulnerability to distress or psychological trauma
  • Whether you have suffered any financial loss as a result of the breach. And if so, what these losses involve
  • Whether anyone else has been affected by the breach. And if so, who and how.

We need this information to ensure we make the strongest possible claim on your behalf.

Once you have signed and returned the necessary information to us, we will make a start on your case. It is not unusual that – on reviewing your impact form – we uncover information that allows us to increase the value of your claim significantly. What might seem irrelevant to you, could make a massive difference in the eyes of the law. That’s why appointing expert data breach compensation solicitors is essential.

How much does it cost to make a data breach compensation claim?

Access to professional legal advice is a fundamental right. That’s why it is vital that everyone can afford to make a data breach or cybercrime compensation claim should they need to.

Removing the financial risk, at Hayes Connor Solicitors, we provide our services on a no-win, no-fee basis to help our clients get the compensation they deserve. So, if we don’t win, you don’t have to pay us a penny.

If your claim is successful (and that’s what we all want!), you usually have to contribute towards your solicitor’s costs. This ‘success fee’ is taken from the compensation awarded to you. The amount of the success fee depends on when your case is settled, but with Hayes Connor Solicitors, you never have to pay more than 25% of your compensation.

What’s more, if enough people come forward to make a large group action claim, we might be able to waive this fee (by getting the other party to pay it instead of you). That would mean that there are no solicitor’s fees win or lose. We always make sure you are fully informed about any potential costs before we proceed.

Helping our clients get the compensation they deserve

Every day serious data breaches take place. And, all too often these breaches put people’s mental health and even their lives at risk.

Our data protection solicitors provide high-quality, sensitive legal advice and support to help victims of data breaches and cybercrime to claim compensation. We may be able to act for you on a NO WIN, NO FEE basis.

Find out more about making a data breach claim with Hayes Connor Solicitors.

 

compensation
,

Claiming compensation for distress under the Data Protection Act

If you have been the victim of a breach of your personal data, the Data Protection Act gives you the right to compensation. You can claim for any money you lose because of a data breach. For example, if a cybercriminal uses your credit card to buy something or steals from your bank account.

But most Data Protection Act breaches don’t actually lead to financial loss. Instead, it is much more common for people to suffer from emotional distress following the misuse of their personal data.

What does the law say?

Until a few years ago, anyone who wanted to claim for distress following a breach of the Data Protection Act first had to prove that they had also suffered financial loss. But this is no longer the case.

And, since a landmark case in 2015[1], there have been many successful claims for distress. So, if you have suffered emotionally after an organisation breached any part of the Data Protection Act (the UK’s interpretation of the GDPR), you have a right to claim compensation.

For example, in 2016, six asylum seekers received awards of between £2,500 and £12,500 after their personal data was inadvertently published on the Home Office website.

What will the court look at when deciding how much compensation to award?

When making a compensation award, the court will look at the specific circumstances of your case. This includes things like the sensitivity of the data compromised and the nature of the disclosure.

However, the court may be prepared to award damages even in cases where your fears about what might happen with your data are not rational. Simply the threat of disclosure, and the loss of trust in authorities resulting from a data breach could result in compensation.

The emotional impact of a Data Protection Act breach should not be underestimated

If a criminal came into your home and stole your private letters and other information, you would be distressed. So why should you feel any less upset at having your online data taken?

The emotional impact of a data breach can be devastating. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect a person’s friends, family and job. We deal with serious cases that put people’s mental health and even their lives at risk. So, downplaying the impact of a data breach claim is extremely disrespectful to the victims.

Who is responsible?

While cybercriminals often target organisations to steal their data, in most cases, data breaches aren’t caused by scammers trying to hack big businesses, but by companies not taking data protection seriously resulting in simple human errors.

However, even where criminals are involved, in most cases organisations have not invested in adequate levels of security. So, the hackers only managed to steal the data because nobody put a “lock on the door”.

Make a Data Protection Act compensation claim with Hayes Connor Solicitors

At Hayes Connor Solicitors, we believe that companies must be held to account for their failure to protect your information.

Some people would have us believe that claiming for distress is an overreaction. That your physiological suffering and anguish doesn’t matter. You might hear friends and family saying that, while it is acceptable to claim compensation for any financial losses, you should put up with any anxiety caused by having your information stolen. But we should all be very worried about what could happen if our data gets into the wrong hands. Why shouldn’t you seek compensation for a failure to look after your information correctly?

Crucially, the law understands the damage that can be caused by worry and upset. So you are 100% within your rights to make a compensation claim.

What’s more, claiming compensation for distress isn’t just in your best interests, it could be the only way to ensure that businesses everywhere implement more secure processes.

If you have been the victim of a data breach or cyber fraud, find out how we can help you to get data breach compensation by completing our enquiry form or give us a call to discuss your case in more depth.

Or, for more advice on how to keep your data safe, follow us on Twitter and Facebook.


[1] Google Inc v Vidal-Hall and others [2015]

employment data breach
, ,

How Hayes Connor helps our clients after an employment data breach

At Hayes Connor Solicitors, we help our clients get the compensation they deserve. We do this following data protection breaches, cybercrime, and other online offences. One type of claim we see a lot of is the employment data breach. Here are just some of the employment data breach cases we have helped our clients with recently.

Breach of data leading to an employment dispute

Our client was referred to a qualified third-party for a standard workplace assessment. This assessment was designed to make sure she had everything she needed to reach her full potential in her job. However, the party conducting the evaluation added sensitive personal information about her to their report. And they gave this to her employer.

This information was not relevant to the assessment. Moreover, it led to a dispute between our client and her employer over the disclosures she made while applying for her job.

In response, our client made a data breach claim against the workplace assessment provider. And, as well as claiming for the initial breach of her sensitive information, she also claimed for the loss and injury she suffered by the infringement when this knowledge was used against her.

Employment data breach leads to an increase in unwanted spam

Our client suffered a data breach when his employer was hacked and his financial information was put at risk.

As a result of the hack, our client was bombarded with unwanted spam calls and text messages, Some of which became quite personal. This proved to be very distressing. It resulted in him and his family suffering from distress and worry. Our client was diagnosed with an anxiety-related psychological condition that would require treatment to help him fully recover.

As the spam could be traced back to the original data hack, he was able to claim for the breach of his data and the injury caused.

Help is needed after an employment data breach

Today, such unlawful disclosures are all too familiar. And, in such cases, this can result in complex anxiety and stress.

But in such situations, you can claim damages for any psychological injuries caused by the breach of your personal data. If you find yourself suffering, make sure you seek appropriate medical attention as soon as any symptoms arise so that the impact can be adequately assessed.

At Hayes Connor Solicitors, we are 100% committed to seeking the compensation necessary to help people get their lives back on track following an employment data breach. But we don’t believe that our obligation to our clients stops there – we also provide a wide range of information to help our clients protect themselves once a breach has occurred.

Making an employment data breach compensation claim

We help our clients to make compensation claims after their data was put at risk by the organisations they trusted to look after it. And we will make sure that your employment rights are protected during and after any claim against an employer.

Our professional, friendly team will advise you on whether you have a valid claim against an employer (or third-party). If you have a substantial case, we may be able to act on a NO WIN, NO FEE basis.  Our process is fully compliant with ICO guidance, and we never put your details at risk. We will NEVER pass your details onto anyone without your permission.

Contact us today for a free initial assessment.


Data protection solicitors

At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.