Posts

cybersecurity
,

An update on Cybersecurity in the UK

The government has published the results of the Cyber Security Breaches Survey 2019. This looks at how UK organisations approach cybersecurity, and the impact of breaches.

Trends in cybersecurity in the UK in 2019

According to this report:

Cyber-attacks are a persistent threat to businesses and charities

Around a third of businesses and two in ten charities report having cybersecurity breaches or attacks in the last 12 months. Among those organisations facing breaches or attacks, the most common types are:

  • Phishing attacks
  • Others impersonating an organisation in emails or online
  • Viruses, spyware or malware, including ransomware attacks.

For businesses, the proportion identifying breaches or attacks is lower than in 2018. The survey is unclear why this has happened. It could be because companies are generally becoming more cyber secure. However, another possibility is that more attacks are being focused on a narrower (though still numerous) range of businesses. The survey also suggests that some companies may be less willing to admit to having cybersecurity breaches following GDPR.

Where businesses have lost data or assets through cyber security breaches, the financial costs from such incidents have consistently risen since 2017

When looking at cybersecurity in the UK, the report states that among those businesses recording breaches or attacks, in 30% of cases this resulted in a negative outcome (e.g. a loss of data or assets). For charities, this happened 21% of the time.

The average cost to a business which lost money following a cyber-attack was £4,180. This is higher than in 2018 (£3,160) and 2017 (£2,450). However, for larger firms this jumped to £22,700 in 2019. For charities, the average cost was £9,470.

So, the costs of cybersecurity breaches can be substantial. But more than this, the survey also states that: “the indirect costs, long-term costs and intangible costs of breaches – things like lost productivity or reputational damage – tend to be overlooked. This means that, when organisations reflect on their approaches to cybersecurity, they may be undervaluing the true cost and impact of cyber security breaches”.

More businesses and charities than before have taken positive steps to improve their cyber security

This is in part linked to the introduction of GDPR. However, while this report found that security is increasingly a priority issue for organisations (78% of business and 75% of charities), it does not appear that actions are reflecting this shift.

In fact, only 30% of businesses and 37% charities have made improvements to their cybersecurity since GDPR.

Of those who have made improvements in a bid to stop cyber-attacks and data breaches:

  • 60% of business and charities have created new policies
  • 15% of businesses and 17% of charities have had extra staff training or communications
  • 6% of businesses and 10% of charities have improved their contingency plans.

However in more positive news there are year-on-year improvements in these areas.

There is still more that organisations can do to protect themselves from cyber risks

So, the increasing prioritisation of cybersecurity has not always been matched by increased engagement and action. In fact, according to the findings:

  • Just 35% of businesses and 30% of charities have a board member or trustee with specific responsibility for cyber security
  • Only around 18% of businesses and 14% of charities require their suppliers to adhere to any cyber security standards
  • Just 16% of businesses and 11% of charities have formal cyber security incident management processes in place.

Organisations are open to receiving guidance or checklists. However, they expect such guidance to be pushed out to them

 Today, UK organisations are open to improving their cybersecurity processes, but they still appear to be reluctant to take responsibility for doing this. Just 59% of businesses 47% of charities have sought external information or guidance on cybersecurity in the last 12 months.

You can read the report in full here.

Helping individuals and organisations to become more cyber aware and cyber safe

Hayes Connor Solicitors is a niche firm operating in the data breach sector. We help our clients to claim the compensation they deserve following data protection breaches and other cyber offences such as computer fraud, identity theft, defamation, hacking and phishing scams.

A relatively new and evolving area of law, our specialist solicitors lead our field when it comes to understanding the complexities involved.

We make sure our clients have as much information as possible before claiming so that they feel fully informed at all times. And we provide a wide range of information to help our clients protect themselves once a breach has occurred. We also raise awareness of the growing threat of cybercrime and data breaches, as the more people are aware of the risk, the better-protected everyone will be.

For advice on how to keep your data safe, follow us on Twitter and Facebook. Or, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.

 

eu data breach
, ,

Home Office guiltily of EU Settled Status data breach

In a recent blog, we looked at how an administrative error by the Home Office exposed the email addresses of hundreds of Windrush migrants. And it seems that the department hasn’t learned from its mistakes as another data breach has now endangered the details of hundreds of EU citizens seeking settled status in the UK.

EU Settled Status data breach

In the latest “administrative error” by the Home Office, the department failed to conceal email addresses in a group communication to applicants of the EU Settled Status scheme. The controversial scheme allows EU nationals and their families to secure their rights in the UK after Brexit.

In total it looks like around 240 email addresses were revealed on Sunday 7 April after the department failed to use the ‘bcc’ function when sending a bulk email to recipients. The breach is likely to have made a stressful situation even worse – particularly as the violation involves those who had already faced technical difficulties while trying to apply to keep their rights in the UK.

The Home Office has since apologised to those affected. The Information Commissioner’s Office (ICO) is aware of the breach and will decide whether or not to launch a full inquiry.

What have people said about the EU Settled Status data breach?

Commenting on the incident, Nicolas Hatton, from the 3 Million campaign group said: “It feels like it adds insult to injury”. While one recipient of the email told the BBC that she was outraged and was considering returning to Germany.

Shadow Home Secretary Diane Abbott said: “Data breaches are now a matter of routine, while all those who are unfortunate enough to have to deal with the Home Office face a combination of indifference, incompetence and the hostile environment.”

Conservative MP Alberto Costa has called on the Government to scrap the “morally repugnant” system.

What can you do if you have suffered because of the EU Settled Status data breach?

Experiencing a data breach can result in significant stress and anxiety, which can lead to a diagnosable psychological injury.

For people who are already worried about their rights being removed following Brexit, knowing that their personal information has been violated could be particularly distressing.

If you have suffered damage or distress caused by the EU Settled Status data protection breach you could have a right to claim compensation. To find out how we can help you recover any losses, contact us to discuss your case in more depth.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

childrens personal data
,

New standards for online services will help to protect children’s personal data

In our digital age, all parents and guardians worry about whether their children are protected online. In response, the Information Commissioner’s Office (ICO) has introduced a new set of standards that all online services must meet to safeguard children’s personal data.

Who does the new code apply to?

This code of practice sets out what is expected of those responsible for designing, developing or providing online services likely to be accessed by children. Such services include apps, connected toys, social media platforms, online games, educational websites, streaming services, etc.

However, the code is not restricted to services specifically directed at children. It also applies to online services that process the personal and sensitive data of children.

What could happen if these standards are not met?

The code states that the best interests of the child should be a primary consideration when designing and developing online services. Or put simply, that privacy must be built in, not bolted on.

Once made law, online service providers will have to follow the code and demonstrate that they use children’s data fairly and in compliance with data protection legislation. Those that don’t could face a hefty fine and be ordered to stop what they are doing.

Failure to adhere to these standards could also result in data protection compensation claims being made against online service providers.

What are the proposed standards to ensure children’s personal data is protected?

Here are the 16 standards that organisations will be obliged to follow once the code becomes law:

  1. Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
  2. Age-appropriate application: Consider the age range of your audience and the needs of children of different ages. Apply the standards in this code to all users, unless you have robust age-verification mechanisms to distinguish adults from children.
  3. Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
  4. Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
  5. Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
  6. Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
  7. Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
  8. Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
  9. Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to off at the end of each session.
  10. Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
  11. Profiling: Switch options which use profiling off by default (unless you can demonstrate a compelling reason for profiling, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  12. Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data, weaken or turn off their privacy protections, or extend their use.
  13. Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable compliance with this code.
  14. Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
  15. Data protection impact assessments: Undertake a DPIA specifically to assess and mitigate risks to children who are likely to access your service, taking into account differing ages, capacities and development needs. Ensure that your DPIA builds in compliance with this code.
  16. Governance and accountability: Ensure you have policies and procedures in place which demonstrate how you comply with data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children. Ensure that your policies, procedures and terms of service demonstrate compliance with the provisions of this code.

Age appropriate design: a code of practice for online services has been published for consultation. You can read the document in full here. The code is out for consultation until 31 May. The final version will be laid before Parliament and is expected to come into effect before the end of the year.

Children’s personal data must be protected

At Hayes Connor, we want to reduce the number of data violations taking place across the UK, and we welcome the new set of standards.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you or your child has been the victim of a data breach, contact us to discuss your case in more depth.

 

Data breaches are a “time bomb”
, ,

Data breaches are a “time bomb”

Earlier this week, a leading security expert warned that data breaches are a now a “time bomb” with too many companies putting confidential customer information at risk.

The comments were made to the BBC by Bryan Sartin, head of global security service at telecommunications company Verizon. They were made following the publication of a report which analysed thousands of successful cyber-attacks.

The annual Verizon Data Breach Investigations Report (DBIR) collated information from more than 41,686 security incidents, of which 2,013 were confirmed data breaches that hit large and small organisations all over the world.

Speaking about the findings Sartin, said he was “surprised” more breaches had not become public and suggested that there are “probably some big situations queuing up right now”.

Key findings

Significant findings of the 2019 report include:

  • 52% of breaches were caused by hacking
  • 33% of breaches were caused by social engineering attacks (where people are manipulated into breaking normal security procedures in order for criminals to gain access to systems)
  • Cyber thieves are increasingly and proactively targeting C-level executives
  • 71% of breaches were financially motivated
  • 25% of all violations were associated with espionage
  • 29% of breaches involved stolen credentials.
  • 56% of breaches took months, or even longer to discover.

What can we learn from this report?

Under current data protection laws, UK companies that lose data face fines of up to 4% of their global revenues. Organisations are at greater risk of such penalties if they delay reporting data breaches and/or if they are found to have failed to protect personal data or clean up after a breach. So, it’s important that they take the threat of cyber-attacks very seriously.

Speaking about the latest findings, Hayes Connor managing director and data protection heavyweight Kingsley Hayes added his insight on this matter. He said: “Unfortunately, reports of a data breach time bomb are not exaggerated. In fact, we’ve been warning organisations about the level of risk they are exposed to since before GDPR.

“Having received thousands of enquiries from customers who have suffered as a direct result of a data breach caused by a cyber attack in the last twelve months alone, it has become clear to us that this is just the tip of the iceberg. And, disturbingly, the response provided by many of these organisations falls short of what we would expect. Businesses must do more to meet their data privacy responsibilities and provide adequate redress where they fail to do so, or risk increased compensation claims.

“But it’s also vital to highlight, that the vast majority of data breaches are not caused by cybercriminals, but by simple human errors and a failure to ensure robust security processes. And every day, these smaller data breaches are causing misery and upset to people across the UK.

“So, when it comes to data breaches, it’s just as important that businesses look at the threat from within, as well as putting measures in place to protect themselves from the bad guys.”

CYBERCRIME
,

Banks try to limit their liability for push payment compensation

Push payment scams happen when cybercriminals trick someone into sending them money by pretending to be someone else. Some victims have been conned into transferring hundreds of thousands of pounds to criminals. In the first half of 2018 alone, such scams saw £145 million stolen by cybercriminals. And, until now, there was very little victims could do to secure push payment compensation.

Find out more about push payment fraud.

In response, the industry is looking at a new compensation scheme.

But, responding to a consultation on the introduction of a new code – which could force banks to pay millions of pounds in compensation each year – it seems like the banks are trying to limit their liability for push payment compensation.

  • Santander has proposed that victims whose losses are not considered to be “life-changing” should receive nothing. The bank argues that “smaller” payments of a few hundred pounds should not be eligible for compensation
  • Lloyds has proposed that customers should pay an extra levy every time they make a significant bank transfer to help fund the compensation scheme
  • Barclays has warned that to limit its liabilities for push payment compensation it might need to slow down and block payments for genuine customers
  • Nationwide has suggested that customers it identifies as vulnerable may be barred from some banking services as they present too much of a risk of getting scammed.

What would the new code do?

Under the new scheme, banks would agree to compensate fraud victims for losses if it can be proved that they failed to protect them. Historically, banks have avoided paying push payment scam compensation to victims unless there was a fault in their processes. This is because the customers authorise the fraudulent payments.

However, some banks have already signed up to a new push payment scam compensation fund which has been introduced as an interim measure until a permanent solution can be agreed.

What can you do if you are the victim of push payment fraud?

If you have been the victim of an attempted push payment scam, you should contact Action Fraud. However, if you have lost money as a result of the scam, you must also report it as a crime. You should also notify your bank ASAP.

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a push payment scam, find out how we can help you to recover any losses or contact us to discuss your case in more depth. We can help you to claim compensation and steer you through the aftermath of a bank or credit card scam – minimising the impact on you as much as possible.

 

We can also help you if you became the victim of a bank scam as a direct result of a data breach.

notjusthackers
,

Beware of using unauthorised IT systems at work

With human error the leading cause of data breaches, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses communicate the importance of information security to staff.

At Hayes Connor, we’re sharing some of the tips included in this toolkit to raise awareness of the importance of this issue, and to help organisations across the UK improve their data protection processes.

Tip: All information you work with has value. Only use authorised IT systems

The risk of using authorised systems  

When personal and sensitive data is processed and accessed via authorised IT systems, it’s easier to keep it safe and prevent cybercriminals getting their hands on it. On the other hand, systems that are not effectively managed will be vulnerable to attacks that may have been preventable.

Quick tips

Here are some quick tips to help employers keep the data they hold on their systems safe.

  • Put strict policies and procedures in place to ensure the safe processing of information – both in and out of the office
  • If you allow mobile working, establish what devices and applications are allowed to access your network, where, when and how it can be accessed, and any penalties for breaching the policy
  • Implement tools and practices to protect data on mobile devices. This should include things like Two Factor Authentication (2FA), password controls, and the ability to remove sensitive data from devices remotely
  • Make sure that all staff receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws.

However, even authorised IT systems can be manipulated if not manged properly. For example, Equifax’s failure to patch a server flaw resulted in hackers potentially stealing 143 million US citizens’ data, and the personal details of up to 15 million Brits. This sensitive information included email addresses, passwords, driving license numbers and phone numbers.

So employers should also make sure that they:

  • Only use supported software, operating systems, web browsers and apps
  • Develop and implement policies to update and patch systems regularly
  • Create and maintain hardware and software inventories: so you know what is being used across your business, together with the version and patch status of all software
  • Deploy tools to help identify unauthorised hardware or software use
  • Make sure that any functionality or application that doesn’t support a business need is removed or disabled
  • Conduct regular vulnerability scans
  • Establish configuration control and management policies for all systems
  • Disable unnecessary devices and prevent removable media access
  • Ensure that regular users cannot install or disable any software or services running on the system
  • Limit privileged user functionality

A key principle of the GDPR is that businesses must process personal data securely by means of ‘appropriate technical and organisational measures’. Find out more about how to do this on the ICO’s website.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth

Join Our Team

Hayes Connor are hiring!

We are looking for new team members to join us.

We need a Legal Assistant and a Litigator Role.

Legal Assistant Role:

Job Overview

Legal Services is a department within Hayes Connor Solicitors who are Data Breach and Cyber Crime Experts, driven to continuously improve the lives of the people they represent.  Helping to protect client’s rights, while making sure they get the compensation they deserve.

Responsibilities and Duties

  • Opening and closing cases within proclaim.
  • Ensuring that client data is inputted accurately.
  • Excellent communication skills
  • Keeping in constant touch with clients to ensure communication and continuous work flow
  • Making initial contact with client and obtaining all relevant details in order to assess the prospects of the case.
  • Copy typing of documents, forms and letters.
  • Send initial documentation, Questionnaire and Impact Forms to client
  • Chase the return of initial documentation, Questionnaire and Impact Form
  • Organize, analyse, and compile information
  • Answer and direct phone calls
  • Monitor deadlines and adhere to strict SLAs
  • Obtain relevant proof of Identity and Address and complete AML checks
  • Respond promptly to emails and other messages when directed
  • Maintain and organize files, databases, records and other information
  • File and slip post invoices
  • Create reports and documents on case specifications and requests
  • Prioritise and effectively work on own caseload
  • Work independently, as well as part of a team when necessary
  • The ability to work towards and achieve monthly targets

 

To apply send us your CV to recruitment@hayesconnor.co.uk

data breach claims
,

Ceredigion Council data breach blamed on human error

A data breach at Ceredigion Council is being blamed on human error. The breach saw documents which contained personal and sensitive information published on the county council’s website.

In the worst instances, these documents included detailed health information about local residents. The other information breached was considered lower risk and included info such as names and addresses, company names and transactions for the sale of land.

However, while Ceredigion Council might consider this information to be low-risk, the devastation such negligence can cause can’t be underestimated.  Just having access to an individual’s name and address can put them at serious threat of identity fraud.

Furthermore, one councillor has rightly raised the point that, for someone fleeing violence, the impact of such data falling into the wrong hands could “mean loss of life for somebody.”

As such, some residents believe that the council is “playing down” the data breach.

Why did the breach happen?

Although the data breach only came to light last August, it is thought to have occurred when the authority’s website was redesigned in 2013. This means that this sensitive information was at risk for years. However, the man who notified the council of the breach said he reported the same data on the council’s old website as far back as 2007.

After looking into the breach, it appears that the problem occurred as the documents had been incorrectly under a new electronic management system in 2006. All records at the council are now verified by two people to evaluate whether they should be kept secret or not.

The Information Commissioner’s Office is due to report on the incident.

Local governments must do better

The violation at Ceredigion Council is similar to our experiences of data breaches at local authorities across the country. And, as in this instance, in most cases it is human error rather than cybercrime that is the biggest cause of data privacy violations.

Some examples of cases investigated by the ICO include where:

  • The Royal Borough of Kensington and Chelsea was fined £120,000 after it unlawfully identified 943 people who owned vacant properties in the borough
  • Nottinghamshire County Council was fined £70,000 for leaving vulnerable people’s personal information exposed online for five years
  • Islington Council was fined £70,000 for failing to keep up to 89,000 people’s information secure on its parking ticket system website
  • Basildon Borough Council was fined £150,000 for publishing sensitive personal information about a family.

The impact of a data breach can be very harmful

A data breach can lead to financial fraud and identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

And, even if nothing has been done with that information as yet, it doesn’t mean the data is safe.

Working exclusively on data breach and cybercrime cases, it has become clear to our solicitors that the impact and losses people sustain following a data privacy violation are not always immediately apparent. Indeed, in the Ticketmaster data breach, we are starting to see cases where the impact only became clear months later. This is often because data stolen is used in batches over time.

What’s more, even if you haven’t lost out financially after a data breach, this doesn’t mean that there is “no harm done.” A data breach can lead to distress and psychological trauma. And, like the financial losses, the full impact often isn’t felt until much later.

 What can you do to stop this from happening to you?

If you are concerned that your data might be at risk, either by Ceredigion Council, or another local authority, you can ask for a copy of the data the council holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

This won’t guarantee that an error doesn’t result in your information being exposed, but it is a reasonable safety precaution to take. You can also ask the council for a copy of their acceptable use policy and data protection policy.

Not just hackers

Our local governments were hit by almost 100 million cyber-attacks over five years, with one in four council systems successfully breached. Indeed, the sector has proved a lucrative target for hackers. Often because of a reliance on unsecured legacy software and a lack of preparation for dealing with cyber-attacks.

But, while the threat of cybercrime is something that the public sector needs to take seriously, human error remains the leading cause of breaches. And, these errors (which are just as likely to happen offline) must also be addressed.

At Hayes Connor, our expert solicitors deal with a significant number of local and national government data breach cases. During our work, we see many different types of claims and understand how data breaches can affect people in different ways.

TAKE A LOOK AT OUR CASE STUDIES TO FIND OUT MORE ABOUT THE TYPES OF DATA BREACHES THAT ARE OCCURRING ACROSS THE UK.

For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.  Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

data breach solicitors
,

Do you have to hand over your personal data to a pharmacist?

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of data privacy matters and educating people and businesses to prevent mistakes from happening.

And, after seeing some of the advice we have issued on how to keep your personal data safe, one concerned individual contacted us after being given a medication service questionnaire from her local pharmacy.

What was the problem?

The questionnaire asked for a whole range of sensitive medical information including:

  • Her name and contact details
  • Details of her GP practice
  • A list of any medical conditions
  • Whether she is pregnant
  • Whether she smoked
  • Any mental health requirements
  • A list of the medications she takes and any side effects of these medications
  • Whether she has dementia
  • Whether she has an impairment of the liver, heart, kidneys or lungs
  • Whether she has any visual or hearing impairments
  • Whether she has any physical impairments.

Contacting Hayes Connor Solicitors with a copy of the questionnaire, the woman said: “I’m quite disturbed at the way this has been issued. There is no indication about whether the questionnaire is voluntary and I fear that many people will hand over this extremely sensitive data without question.”

Does the pharmacy need this information?

Pharmacies across the UK are providing an extremely valuable service to patients while removing some of the burden from doctors. And, certainly having this information could help them to provide more tailored medical advice. But, at Hayes Connor we are extremely worried about the way in which this particular survey has been issued.

Crucially, we think that it breaks data protection laws.

What does the law say?

Unless you have been living under a rock, you will have heard about the General Data Protection Regulations (GDPR). Under the GDPR, any organisation that handles personal information such as names, email addresses, phone numbers, payment details and medical information has to put robust measures in place to keep this safe.

The more you know about the GDPR, the easier it is to make sure you hold organisations to account when it comes to keeping your data safe.

Under the GDPR you have the following rights (among others):

  • The right to be informed if your personal data is being used. This includes things like why an organisation is using your data, how it is using it, what type/types of data it is using, how long the data will be kept, if it shares this data with any third parties, and more
  • The right to limit how organisations use your data. You can restrict the way an organisation uses your personal data. To exercise your right you should make your request directly to the organisation in questions and be clear why you want the data to be restricted. In some circumstances you can also object to an organisation using your data at all
  • The right of access to your data. You have the right to find out if an organisation is using or storing your personal data. To exercise this right all you have to do is ask for a copy of this data. This is called making a subject access request (SAR). You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used
  • The right to get your data corrected or deleted. You can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected, added to, or deleted.

 This survey does not provide customers with any of this information. And, to make matters worse, there is no communication explaining that providing this data is voluntary. Likewise, the pharmacy hasn’t provided any details on how it will handle and keep this sensitive medical information safe, and that is very worrying. 

Our advice in this situation would be to:

If the pharmacy does not respond satisfactorily you should then inform the Information Commissioner’s Office.

Committed to upholding your data protection rights

At Hayes Connor Solicitors, we are committed to making sure that people across the UK understand their data protection rights, and know what they can do when these rights have been ignored, overlooked or abused.

Find out more about your rights on the ICO website.

For more advice on how to keep your data safe, you can also follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

SOLICITORS
,

British consumers likely to avoid organisations following a data breach

Customers in the UK are more likely to change their spending habits following a data breach than those in the US. That’s according to research into consumer trust and spending habits[1]. In fact,

41% of UK customers would stop spending money with a business forever following a data security breach compared to just 21% of US consumers.
The research also found that:

 26% of UK customers won’t spend money with brands they don’t trust to handle their data. That figure drops to just 18% for Americans

  • Americans are more likely to be a victim of a security breach than Brits (44% as opposed to 38%)
  • Retail and travel industries are among the least trusted industries on both sides of the Atlantic
  • 56% of UK respondents were uncomfortable about giving out their credit card details over the phone. However, this figure dropped to just 42% for their American counterparts.

For UK businesses, the findings issue a stark warning about the potential consequences of a data breach.

According to a spokesperson for the report:

“Awareness of data security is something that is on everyone’s radar, yet our UK and US surveys have highlighted some real differences of opinions and traits, when comparing attitudes to data and payment security between the two countries,”

“UK consumers certainly seem more guarded with providing personal information, such as payment card details, over the phone, yet the US is catching up fast. Similarly, if a security breach has occurred at an organisation, Brits appear more likely to avoid that organisation in future, and instead go elsewhere. In my opinion, 2019 is the year that organisations need to take steps to provide far clearer assurances to consumers as to how their data is being captured, processed and stored otherwise customers are not going to wait, and they may find them going elsewhere for their purchase.”

 Smaller doesn’t mean safer

However, British consumers shouldn’t be complacent as the report shows that there is still a lack of awareness about cybercrime and data breaches.

Indeed, according to the findings, over half of UK respondents (55%) felt they could trust a local store with their data more than a national company.

But, according to UK government statistics, smaller organisations are experiencing a significant number of cyber-attacks, with 42% of small and micro businesses identifying at least one breach or attack over a 12 month period[2].

So, more small and medium sizes businesses are being affected by data breaches than ever before. And, in many cases, cybercriminals are specifically targeting smaller companies because they are thought to be less likely to invest in robust cyber security processes.  So, when handing over your valuable data you need to be aware of the risk – regardless of whether you are giving to a national bank or a local hairdresser.

Be aware. Be safe

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of this issue and educating people and businesses to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call our helpline to discuss your case in more depth.

[1] PCI Pal

[2] https://www.gov.uk/government/news/new-figures-show-large-numbers-of-businesses-and-charities-suffer-at-least-one-cyber-attack-in-the-past-year