Posts

GDPR Weekly Show – Episode 62 – 20th October 2019

Hayes Connor featured on this week’s GDPR podcast with news of our client’s successful data breach claim against his local NHS Trust after it shared confidential details from his medical records without consent (listen from 11 minutes, 13 seconds).

The podcast also features news of the team’s landmark representative action against Equifax worth an estimated £100 million (listen from 28 minutes, 14 seconds).

How to get your money back after push payment fraud

Push payment fraud is the fastest-growing type of fraud in the UK. In 2017, there were 43,875 cases involving push payment fraud, with total overall losses of £236 million to customers and only £60.8 million repaid[1].  And, in the first half of 2018 alone, push payment scams saw £145 million stolen by cybercriminals.

So, it’s essential that victims of push payment fraud know what to do to help them get their money back.

In this quick guide, we provide some expert help on what you need to do to get push payment compensation.

Push payment fraud

Push payment fraud – also called authorised push payment (APP) – happens when cybercriminals trick people into sending them money. Because the individual thinks the cybercriminal is genuine, they authorise the handover of cash.

This money is then swiftly transferred to different accounts, often abroad, which makes getting it back almost impossible. So, it’s vital that people have someone to turn to so they can get push payment compensation.

Types of push payment fraud

Push payment fraud is carried out in many different ways, but ultimately fraudsters are looking to trick you into believing that you are making a payment to someone you can trust.

Typical push payment scams include:

  • Where criminals send fake invoices that look exactly like ones you are expecting (e.g. from your child’s school or a legitimate tradesperson)
  • Where fraudsters convince you to transfer money to them by pretending to be someone official, such as a solicitor (e.g. when buying a house) or the police
  • Where push payment scammers send emails pretending to be from a friend or family member asking for money.

Ultimately it’s about conning you into transferring your cash into fraudulent bank accounts.

The impact of push payment fraud

The money lost because of authorised push payment fraud can be devastating.

For example, a mother and daughter in Kent were tricked out of their life savings after unknowingly transferring £113,665 to a criminal, rather than their solicitor.

Another woman was conned into losing her mother’s care-home fees after a criminal claiming to be from her bank’s fraud team flagged up unusual transactions on her bank account. She was asked to move her balance to a new “protected” account. However, when she called her bank to check the transfer had gone through, they knew nothing about it.

Why were you targeted?

In some cases, the criminals involved might have called hundreds (or even thousands) of people in the hope of deceiving someone.

But often these scams are highly targeted and happen because your data has already been violated because of a data breach (or other cybercrime such as an email hack).

A data breach could have occurred at any organisation that holds your personal information. Criminals often use data breaches to access data and sell it on the dark web.

According to a report by The Independent[2], the personal data of UK citizens is selling for as little as £10 on the dark web. The data offered provides more than enough information for push payment fraudsters to convince you that they are genuine and defraud you.

In addition, some criminals will target the customers of banks that have poor security processes. This is because they know that inadequate practices can make it easy to trick customers into handing over money. This includes where banks fail to:

  • Keep their internal telephone/text/email systems secure
  • Keep their internal security protocols safe and secure, allowing fraudsters to easy access to them to commit fraud
  • Undertake proper checks on large transactions from clients who don’t normally transfer large sums
  • Undertake proper checks on transactions to accounts where there is no history of transactions
  • Stop transfers and freeze accounts when they are informed that fraud might be happening
  • Liaise with the fraudsters’ banks to chase down the money and/or find out who the money has gone to.

Protecting yourself from push payment fraud

There are steps you can take to protect yourself from push payment fraud. For example, you should never disclose your security details such as your PIN or full banking password to anyone (not even your bank). Likewise, you should never transfer money without being 100% sure who you are sending it to. Just because someone knows some personal information about you (i.e. your mother’s maiden name), that doesn’t mean they are genuine.

But this doesn’t help if you have already been conned.

How to get push payment compensation

There are a few ways to get your money back after a push payment fraud.

Firstly, if someone is convicted of a cybercrime against you, the court may order them to pay you compensation. Where the authorities are not interested in pursuing compensation, or where you do not want to make a criminal case, we can assist with a private prosecution. However, this isn’t always possible. First and foremost the scammer has to be caught, and that is rarely the case.

Secondly, you can ask your bank to compensate you after a push payment fraud. Historically, banks have avoided paying push payment scam compensation to victims unless there was a fault in their processes. They argued that they made it very clear that customers should never make a payment at the request of someone over the phone or email. So, because you authorised the payment, it was your responsibility, and they could not be held liable.

However, stronger protections have been introduced to help protect victims of push payment fraud. This means that your bank or credit card provider can only refuse to reimburse stolen funds where you have shown a very significant degree of carelessness.

Thirdly you can also complain to the bank that received your money (the bank that the fraudster used). This is a new rule that has been introduced to encourage banks to do more to identify when a fraudster is using their services.

It is expected that banks will reimburse somewhere between £30million and £40million more in push payment compensation in 2019 as compared to last year.

What if your bank refuses to give you push payment compensation?

Despite the new measures, the banks are still trying to limit their liability for push payment compensation. So, if you’re not happy with the response from your bank, you should refer your complaint to the Financial Ombudsman.

The Ombudsman understands that cybercriminals are becoming increasingly sophisticated and harder to spot. It knows that people are often manipulated into thinking that their money is at risk. So they will think carefully before deciding whether you have acted in a way that goes beyond what might be described as careless.

However, even where you do have a claim for reimbursement, fraud victims whose banks refuse to refund their losses can see the appeal process drag on for months. The average wait for those taking their case to the Financial Ombudsman Service is a staggering 215 days.

What if the Financial Ombudsman doesn’t help?

If you have been the victim of a push payment scam and the banks are refusing to help, you should contact Hayes Connor solicitors to find out if we can help you to recover any losses.

We are also considering a group action claim against banks who have failed their clients after they have lost money through no fault of their own. A group action is where a group of people, all affected by the same issue, collectively bring their cases to court. Group actions can be a powerful tool and can have a bigger impact than a single claim.

 The current banking system makes it all too easy for scammers to trick people into sending them money so it’s vital that you have someone you can turn to for help.

FIND OUT MORE ABOUT CLAIMING PUSH PAYMENT COMPENSATION.

What should you do now?

 If you have been the victim of an attempted push payment scam, you must contact Action Fraud ASAP if you haven’t already done so. Action Fraud is the national fraud reporting service. However, if you have lost money as a result of the scam, you must also report it as a crime.

If you live in Scotland, you should call the Police on 101.

There are also some security measures you should take after a financial data breach to stop yourself from falling victim to further crime. These include:

  • Contacting your bank/credit card provider immediately
  • Freezing your card right away via your banking app if available
  • Changing your passwords and other security details
  • Implementing a credit freeze until the matter is resolved
  • Keeping an eye on your bank and credit card statements to see if there is anything you don’t recognise (and reporting these to your financial provider immediately)
  • Letting the credit reference agencies know of any activity that was not down to you
  • Registering with the Cifas protective registration service. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you.

If you have been the victim of a push payment scam and the banks are refusing to help, contact us to find out how we can help you to recover any losses and to discuss your case in more depth. We can also help you if you became the victim of a bank scam as a direct result of a data breach.

REGISTER TO FIND OUT MORE ABOUT CLAIMING PUSH PAYMENT COMPENSATION

For more advice on how to keep safe, follow us on Twitter and Facebook.


[1] UK Finance

[2] https://www.independent.co.uk/life-style/gadgets-and-tech/news/dark-web-id-value-hackers-cyber-crime-a8683821.html

thebusinessdesk.com, 17th October 2019

Kingsley Hayes featured on thebusinessdesk.com with news that Hayes Connor had issued a claim worth an estimated £100,000 million against Equifax in the High Court on behalf of all affected individuals. The landmark legal action is the first time that a law firm has issued a representative data breach claim which could see the Court ordering Equifax to pay compensation to all its affected UK customers to Hayes Connor to distribute accordingly.

data protection
, ,

Huge step forward for privacy rights after ground-breaking data protection ruling

A data protection case against Google has resulted in a huge win for individuals and their data privacy rights.

The legal action[1], which relates to events that took place nearly a decade ago, will make it much easier for people to make a data breach claim.

What happened in this case?

Between 2011 and 2012, Google used cookies on Apple’s Safari web browser to collect data about its users. This included information on health, race, ethnicity, sexuality and finance. It is alleged that this happened even if someone changed their setting to “do not track”.

In response, a group action was launched to help people challenge the big technology company over this data privacy violation. But, in October 2018, the case was thrown out.

One reason behind this decision was that it was deemed too difficult to calculate how many people had been affected and in what way. This is because, to make a data breach compensation claim, each individual had to show that they had suffered. This could include experiencing either emotional distress or financial loss as a result of a breach.

However, this case was taken to appeal. And, in a “ground-breaking” ruling, the Court has shown that big business is not above the law.

What happened in the appeal?

The Court of Appeal decided that all data breach claims are valid. Even if someone hasn’t suffered financial or emotional damage as a result. Simply losing control of the personal information is sufficient grounds to make a claim.

What’s more, the appeal also found that people are entitled to compensation even if the only personal information breached was their email address.

What does this mean for victims of a data breach?

This is good news when it comes to the protection of our privacy rights. It means that organisations are much more likely to take their data responsibilities seriously. And, where a breach does occur, it is now much easier to hold corporate giants to account.

What’s more, a group action can now be launched based on the total number of those affected. Not just the individuals who have proactively decided to pursue compensation. This will make the group action claim process much quicker.

Businesses will have to do more or risk legal action and hefty costs

Speaking about the case, our managing director Kingsley Hayes said:

“This is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.

“The ruling rightly adds further weight and consequence to any breach of personal data, even if a breach only involves an individual’s email address. This is likely to open the floodgates as consumers become increasingly proactive about protecting their privacy rights and seeking legal redress.

“Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.

“The development is fair and right providing robust clarity that the law sits firmly behind the rights of individuals to have full control of all their personal information and how, when and where this is stored, processed or shared.”

How do you make a data breach claim?

If you have experienced a breach of any part of the Data Protection Act, you have a right to claim compensation.

And, keeping things simple, as far as individuals are concerned, the process of making a data breach claim remains largely the same. So, if you are worried that your information has been lost or misused, we can help.

At Hayes Connor Solicitors, we know what it takes to make a successful compensation claim. In fact, we’ve been helping people to do just that for over 50 years. We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously and make the necessary improvements is by hurting their bottom line.

Find out more about making a data breach compensation claim.

[1] Lloyd v Google

Southern Health NHS Trust pays settlement in data breach claim

Southern Health NHS Trust has admitted failing in its data protection obligations following an incident which involved a member of its staff accessing and sharing details of a patient’s confidential medical records without consent.

The breach took place in 2016 but was only discovered more than two years later following a Right of Access information request by Fordingbridge resident Robert Richardson.

Council files revealed that following his request for a more secure back door to be provided for his property following serious threats made against him, New Forest District Council had contacted the NHS to ask whether he was known to its mental health facility.

61-year-old operations administrator Robert Richardson said: “I asked the local council to replace my back door for added security for my family, but they were not forthcoming. I had concerns about what was happening internally at the Council in relation to my request. I proceeded to make a Right of Access request only to discover that they had contacted the NHS with the suspicion that I was suffering mental health issues.

“I was stunned and very upset to discover that this had taken place without my knowledge, or consent, and even more upset that the NHS had proceeded to access my private medical records to confirm to the Council that I had not been a mental health patient, again without my knowledge or consent.

“This followed a simple request to have the back door of my property replaced and at no point did the Council, or the NHS, ask permission to share my private information.”

Representing Mr Richardson, James Kelliher, litigation executive at data breach and cybersecurity specialist Hayes Connor Solicitors, commented: “The Trust admitted that a technical breach of the Data Protection Act had occurred. Our client discovered the breach purely by chance. It is concerning that private medical information was accessed and details shared without our client’s consent. Had he not made a Right of Access request the breach would have gone undetected.

“We pursued a successful data breach claim against Southern Health NHS Trust on behalf of Mr Richardson securing £1,500.

“GDPR came into force last year raising awareness of data privacy however, individuals’ private information has been protected by data protection laws for some time predating this, a fact that both the Council and NHS Trust should have been well aware of.”

Salisbury Journal, 13th October 2019

We were pleased to secure £1,500 for our client after he discovered that his local NHS Trust had breached his data protection rights. His confidential medical files were accessed and information shared with a third party without his knowledge or consent.

Liverpool Business News, 9th October 2019

Liverpool Business News featured news of Hayes Connor’s £multi-million data breach claim against British Airways following its 2018 data breach.  Affected individuals have a 15 month window to join the group litigation for compensation.

Today’s Legal Cyber Risk, 7th October 2019

In an increasingly digitised era, more and more of our personal information is stored, processed and shared online. Kingsley Hayes advises on simple tips to help prevent cyber-attacks and maintain robust data protection in Today’s Legal Cyber Risk.

Legal Futures, 4th October 2019

The Court of Appeal made a ground-breaking ruling on 2nd October 2019 reinforcing the value of personal data and adding further weight to action taken against organisations who fail in their data protection obligations. Kingsley Hayes talks about what this means for data breach claims in Legal Futures.

court of appeal

Court of Appeal makes ground-breaking ruling on data protection

The Court of Appeal made a ruling on 2nd October in the Lloyd v Google case which may open the floodgates to data breach claims.

The Court decided that claimants would be entitled to compensation even if the only personal information breached was their email address. It also ruled that a claim would be valid without the requirement to prove a loss or damage as the loss of control of the personal information was sufficient grounds.

The ground-breaking judgement also clarified that firms representing only a portion of the total number of individuals affected in major data breaches, such as the British Airways and Ticketmaster incidents, can claim compensation for the entire population affected and can thereafter distribute the funds.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “This is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.

“The ruling rightly adds further weight and consequence to any breach of personal data, even if a breach only involves an individual’s email address. This is likely to open the floodgates as consumers become increasingly proactive about protecting their privacy rights and seek legal redress.

“Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.

“The Court of Appeal’s decision sets a precedent as we can now claim compensation for the total number of those affected by a breach and not just the individuals who have proactively contacted us to pursue compensation on their behalf.

“The development is fair and right providing robust clarity that the law sits firmly behind the rights of individuals to have full control of all their personal information and how, when and where this is stored, processed or shared.”

Hayes Connor Solicitors was recently appointed as data protection supplier to the Communication Workers Union and is currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.