equifax data hack

What is a group action claim?

In 2015 – in the first group litigation of its kind in the UK – 5,518 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence. But what is a group action claim and can you join one?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also sometimes called class actions, collective redress actions, or multi-party actions. With a group action, this group of people (the Claimants) collectively bring their cases to court against a Defendant. These victims then fight together to achieve compensation in the High Court of Justice.

The benefits of group action claims

Group action claims are becoming far more common in the UK. Here are just some of the reasons why:

  • Strength in numbers. Starting a claim can be frightening, and it’s not unusual for people who have perfectly valid complaints to be put off due to the risks of going up against a large and well-resourced Defendant. Where cases are very similar, group actions can be a powerful tool and can redress the balance.
  • Save on legal costs. By joining together, individuals can share the risks and costs of claiming compensation. Legal advice is also shared, so not everyone in the action needs to pay for their own solicitor.
  • Help victims with smaller claims. Group actions provide a way for people with more modest cases (that may not justify legal fees) to claim the compensation they deserve. Often, solicitors will agree to take such cases on a no-win no-fee basis.
  • You might not have to go to court. Usually, a Lead Test Case is started, and common issues are tried. The result of this case is then used as a precedent for other cases in the action; so every single claim doesn’t have to be taken to court.


Who can make a data protection group action claim?

In data breach cases, the Information Commissioner’s Office (ICO) investigates any reported breaches and has the power to impose hefty fines. If the ICO believes that an organisation broke the law, this information can be used in court to support a group action claim.

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, and the ICO finds that the organisation did indeed break the law, you have a right to claim compensation. However, in many cases, where a breach occurs, you won’t be the only person making a claim. In such circumstances, it is often worth joining a group action claim.

However, before you can join a group action, the court decides whether claims can be grouped together. Where approved, a group litigation order (GLO) is created which grants permission for group action proceedings to begin.

In many cases, people start to think about joining a group action before the court has issued a GLO, or even before an organisation has been found guilty and fined by the ICO. For example, at Hayes Connor Solicitors, having witnessed an influx of queries from clients who have received letters from Equifax informing them that their data may be at risk following the latest hack, we are currently building a secure database of victims who want to seek compensation for damages or distress suffered. If Equifax is fined, we will let people know when their claim for compensation can be made and help them get the compensation they deserve.


Does everyone in a group action claim get the same amount of compensation?

No. Just because your case is part of a group action doesn’t mean that you will receive the same amount of compensation as everyone else.

All claims within a group action are settled based on their merits, and, as with any case, the value of your claim depends on the extent of your suffering. So if your claim is successful, you will receive what you are owed.


data breach solicitors

What are your rights if you are ‘named and shamed’?

A restaurant in Cardiff recently hit the news after its owner took to Twitter when a customer missed her reservation. The screenshot of the booking, posted on Twitter, revealed the customer’s name, telephone number and email address. Not only did the post disclose her personal details, but it also triggered a torrent of abuse from other users of the social media site.

When that prospective diner made her reservation, she likely didn’t bank on her personal information being shared all over the Internet. And, while diners who don’t show up are undoubtedly a genuine problem for restaurants, the owner’s decision to ‘name and shame’ the customer wasn’t just poor etiquette, it was a serious violation of her privacy.

We live in a world in which we’ve grown accustomed to sharing our personal information with relative ease – be it on social media sites, through online shopping, or even making a reservation at a restaurant. Unfortunately, this means we are sometimes at risk of that information being shared or used in ways that are inappropriate, or even illegal. So what happens when you become the victim of a data breach?

 The use of personal data is currently governed by the Data Protection Act 1980. This Act is designed to protect storage of personal data, and its rules apply to any organisation, public or private, that has access to third-party data. While data seems like a very technical term, it actually covers all manners of personal information – from things such as name, address, or ethnicity, to more sensitive material such as religious beliefs, expressions of opinion, and sexual orientation.

The Data Protection Bill is currently making its way through Parliament in order to better protect people who share their data. It is intended to update British law, paralleling the EU’s incoming General Data Protection Regulation. This modernisation is a response to the ever-increasing amount of data that is processed, and according to Government, it will strengthen regulations, with tougher sanctions for breaches.

Those sanctions are implemented by The Information Commissioner’s Office (the ICO). The ICO is an independent body that investigates breaches – any individual can report a concern to the ICO, and it will be looked into. The ICO has a range of tools open to it – it can serve enforcement notices, conduct audits, and most notably, it has the power to impose fines of up to £500,000.

Further, when a breach is so serious as to constitute a criminal offence, the ICO can take the matter to court. Recent examples of those prosecuted include a nurse who inappropriately accessed patient files, and a counsellor who sent details of vulnerable clients to his personal email address – data breaches can occur in many different ways, and the consequences can be severe.

However, the ICO does not have the power to award compensation to those who have been directly affected by a data breach. In a case like that of restaurant reservation, where the violation was not only intentional but also arguably malicious, a victim may want to take further action. If the ICO has found an organisation guilty of a data breach, lawyers can work with the evidence that it provides to take private legal action. It isn’t strictly necessary to go to the ICO first, but their findings can strengthen any claim made.

When you supply your information to an organisation, you trust that that information will be used and stored appropriately. This isn’t just a social nicety – it can constitute a legal relationship. The organisation has a duty to you. If that duty is breached, and that breach causes you to suffer a loss, you may be entitled to compensation.

This suffering can be both financial and emotional. In 2015, a group of people brought a successful claim against Google after learning that the company had used their personal information to create targeted advertisements. This was deemed to be misuse of private information. The claimants suffered no financial loss – their claim was based purely on the fact that knowledge of third party access to private information caused them to feel distress and anxiety.

While the customer whose information was shared on Twitter might not necessarily have incurred a financial loss, she was subject to abusive comments from other people online. If this caused her distress, or anxiety, she could be entitled to damages to cover that loss.

In this case, the abuse may well be considered as an aggravating element of the data breach, but online abuse can constitute a separate criminal offence. “Trolling” – the abuse of individuals online – can be prosecuted under the Malicious Communications Act 2003. The threshold for prosecution is high, but with cybercrime on the increase, more measures are being taken to protect victims of online abuse. Another recent cybercrime phenomenon is “doxxing” – the publication of personal information that encourages harassment or criticism of the individual to whom it relates. Perpetrators can be charged under the Serious Crime Act 2007 – naming and shaming can in effect be a criminal offence.

Violations of your right to privacy are extremely serious, and the consequences can be so too. If you think you’ve been the victim of a data breach, you can contact the ICO, or get in touch with a lawyer. It’s easy to become desensitised to the importance of protecting your information, but if something as simple as making a dinner reservation can lead to a stream of online abuse, it shows that when it comes to data protection, it’s important to know your rights.


If you’ve been a victim of a data breach you can contact us to find out more about making a claim.


TSB: What are your rights following the recent data breach?

Following a bungled IT upgrade over the weekend, many TSB mobile and internet banking customers are still unable to access their accounts. And, according to reports, up to 1.9 million could be affected. To make matters worse, some customers have reported that they have been given access to random bank accounts worth thousands of pounds in what could be a terrible breach of personal data.

With many customers now calling for compensation from TSB, it is important that you know your rights.

Getting compensation from the bank

In 2012, The Royal Bank of Scotland was fined £56 million by regulators after a software upgrade left more than 6.5 million customers locked out of their accounts. The bank also paid over £70 million to UK customers. So people who haven’t been able to access their money over the last few days could be in line for compensation.

However, in the TSB case, the breach of personal information could also lead to a raft of data breach compensation claims against the bank.

Currently, both the Financial Conduct Authority and the Information Commissioner’s Office (ICO) are investigating the IT breakdown. But while they have the power to fine TSB for the failed system upgrade and any data breaches, they do not provide compensation to customers.

So, what can you do if your bank details were put at risk?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. If you are worried that your banking details have been exposed by TSB, there are a few simple steps you can follow.

  1. Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  2. Read our handy step-by-step guide to making a data breach claim
  3. If you are offered any form of compensation or free services for not being able to access your funds it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  4. Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

Can you claim compensation if you didn’t lose any money?

In short, yes. In fact, while some people would have us believe that claiming for distress is an overreaction the law doesn’t agree with them.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

Organisations have a duty to protect your sensitive data. And letting other people access our bank accounts is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

Start a compensation claim against TSB

If you want to make a compensation claim against TSB, contact Hayes Connor ASAP. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you. Our initial assessment is always free.

If you want to find out more about claiming for a data breach you can contact us here

Tesco Bank data breach. Are you affected?

Tesco Bank is at the centre of a recent data breach investigation after thousands of customers’ sensitive information was carelessly leaked. The bank has found itself in the spotlight after Travelex – which runs Tesco Bank’s foreign currency exchange service – admitted that a breach had occurred putting 17,000 users at risk.

This data leaked includes full names, dates of birth, phone numbers, delivery/billing addresses, email addresses, IP addresses and partial payment card numbers. Travelex stresses that card information was disguised using industry standards, so ‘no financial information was put at risk’.

It is thought that the cause of this breach is down to human error rather than a cyber-attack, although an investigation is ongoing.

Do you need to worry?

The Travelex breach involves travel money customers who used Tesco Bank’s foreign exchange currency service online between 14 December 2016 and January 2017.

If you have been affected, you can expect to receive a letter from Travelex soon. The company has also set up a special hotline 0800 9758376 (Mon-Fri 9am-5pm) or via email

What should you do now?

While Travelex is adamant that financial information is safe, and that there is no indication that any of the data has yet been used by a third party, your name, date of birth and contact details can be used by cyber-criminals with the aim of committing identity theft and fraud. So the breach is a significant one; particularly if the information finds its way onto the darknet.

As such it is vital that those at risk:

  • Report their concerns to the ICO to ensure a full investigation takes place
  • Review guidance issued by the ICO
  • Review all bank accounts and credit card statements for unusual transactions
  • Be cautious of any unsolicited communications that ask for any personal information or refer you to a website asking for the same
  • If you have been the victim of online fraud or identity theft, you should also contact Action Fraud. You can do this online or via telephone. Action Fraud is the national fraud reporting service and is the starting point for any police investigation into your loss.

While Travelex is offering 12 months complimentary fraud protection to those affected, we advise anyone signing up to be careful that in doing so, they are not inadvertently signing away their rights to pursue a compensation claim against the company. If you are any doubt, please contact us and we can advise on the terms and conditions of this offer.

Can you claim compensation?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. In this case, we would expect payment of between £1,500 – 2,500 due to the details disclosed. However, this could increase further if you suffer any financial losses because of the breach.

If it is found that the leak was down to human error, there is a case for negligence. What’s more, we are especially concerned that there may have been a delay in disclosing the breach. If this is true, this could lead to aggravated damages being awarded (additional damages caused by the delay).

At Hayes Connor Solicitors we can seek compensation on your behalf. Likewise, if you suspect your data has been mishandled or lost, we can check whether this is the case, and if so, start the claims process.

Because of the number of people involved, we may also be able to mount a group action claim. With this approach, you and the other Claimants collectively bring your cases to court against a Defendant. Where circumstances are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim. As specialists in data law, we are watching this case very carefully and may put together a group action and seek compensation when the investigations are complete.

What now?

If you have been affected by this breach, contact us to start the legal proceedings. Likewise, if you want to be kept up to date on this case, get in touch. We’ll let you know if and when you can claim.



Healthcare accounts for nearly half of all data breaches

Healthcare accounts for nearly half of all data breaches

 Last year was a challenging year for the healthcare sector, which is still feeling the after-shocks of the WannaCry global ransomware outbreak. And in 2018, we can expect to see an increase in attacks on the medical industry. Particularly as healthcare organisations remain hesitant to dedicate budget to cybersecurity.

According to research, the UK health sector accounts for nearly half of all data breaches. With the collective healthcare breach numbers almost four times more than the second highest sector (local government). The last few years have certainly seen healthcare prove lucrative for hackers, and led to a rise in medical data breaches, with one in 13 patients having their records stolen after a healthcare provider data breach.

Healthcare is going online, and this information revolution has seen most organisations move away from paper record keeping. But the healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be looked after. However, as our health and social care system becomes digital, it appears that there are not yet adequate and robust protections in place to secure the data and information held within it. Following the WannaCry abuse, the vulnerability of the healthcare sector and the importance of improving its cybersecurity came into sharp focus.

Between January 2014 and December 2016, healthcare organisations suffered 2,447 incidents and accounted for 43% of all reported data breach incidents. However, when it comes to the reasons for these breaches, human error is the main culprit. So, in addition to worrying about external threats and ensuring the right technology and process are in place, more must be done to make sure that staff have the knowledge and ability to handle data securely.

Who is responsible for human error?

A company can be held liable for human error where it fails to ensure the proper security measures are in place. And, in a recent case, Morrisons was found “vicariously liable” for a disgruntled employee’s actions when he deliberately published sensitive data of almost 100,000 staff online. What this means is that an employer can be liable for the actions of its employees, as long as it can be shown that they took place in the course of their employment. So, when it comes to defending compensation claims, human error or misbehaviour is no excuse.

Today, information shared in error is the single highest contributor to data breaches year-on-year, and when this data contains sensitive medical information, the potential damage and distress becomes all too apparent. For example, in recent cases investigated by the ICO, sensitive diagnosis information was sent to a neighbour and confidential details about a woman and her family were sent to her estranged ex-partner.

At Hayes Connor, we can help you make claims against a wide range of healthcare organisations already fined by the ICO. Of course, you may not know that your medical data has been breached until you read about it or see it in the news. But if you are in any doubt it’s worth finding out whether your data was put at risk, because, if so, you may have a claim for compensation. We can also keep you updated on upcoming and current healthcare data breach claim investigations.


With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

data breach solicitors

Do you have a data breach claim against a school?

Do you have a data breach claim against a school?

Schools, colleges and universities handle lots of sensitive personal data, and it’s vital that this is kept safe. Especially where children are involved. However, all too often, educational organisations either aren’t are aware of their obligations or haven’t done enough to ensure that they meet them.

If you or a member of your family has suffered damage or distress caused by a school, college or university breaching any part of the Data Protection Act, you could have the right to claim compensation.

Has your child’s school failed to keep your data safe?

Schools must keep information secure and prevent breaches. Where schools fail to keep this information safe the Information Commissioner’s Office (ICO) can issue fines, and you might have a claim for compensation.

For example, photos and videos of your child taken by the school may be covered by data protection legislation, and you should be told why they are needed and where they will be used. You should also be asked to provide your consent for these to be used.  Likewise, sending information to estranged parents who do not live together without the appropriate permissions could result in a data breach.

The General Data Protection Regulation (GDPR), which is set to be introduced later this year, extends data protections even further. For example, schools and universities will be banned from making exam results public without the consent of students.

There are even greater legal protections in place for Sensitive Personal Identifiable Information (SPII) such as name, date of birth, address, race or ethnicity, religious beliefs, physical or mental health, sexuality, criminal offences, etc.

Has your child’s school collected or used your data without your consent?

 Schools must comply with fair processing/privacy notices. This means that they must set out the data they require, tell you why they need it, and obtain your consent to collect and use this data.

Under the GDPR all consent must be “freely given” with separate approvals provided for different processing purposes. There must also be a “positive and unambiguous indication of agreement”, so no agreement can be assumed from silence, inactivity, or pre-ticked boxes. Also, your consent can be withdrawn at any time.

If data is being passed on to a third party (e.g. other parents, schools, social services, etc.), you also must be told why and give your consent, even if the information has been requested by a public body (e.g. the police). Failure to do this could be a breach of data protection rules, give rise to significant fines, and open up schools to compensation claims. The only exception to this rule is where a failure to share information may place a child at risk of harm.

Has your child’s school refused or ignored an information access request?

 Pupils have the right to see their personal information if they ask for it. However, parents and guardians don’t have the right to access their children’s personal data (apart from their educational records) unless they have consent from the child, or the child is unable to act on their own behalf.

Is the data held on you and your child out of date?

 Schools must make sure any data held is up-to-date. To do this, they should carry out regular information audits and ask you to check that your details are correct. If a school keeps data for longer than it is needed, then it will violate the Data Protection Act.

Has your school told you about a data breach?

Your school must have robust procedures for detecting, reporting, and investigating any data breaches. Should a breach occur, they are legally obligated to tell the ICO without “undue delay.”

Can you make a data breach claim against a school?

Where a school fails in its data protection obligations, and you suffer some form of damage (financial or physical) or distress as a result, we can help you make a claim. Our professional, friendly team will advise you on whether you have a valid claim against a school, college or university. If you are not sure whether your sensitive information has been misused or mishandled, we can find this out for you.

If we believe you have a substantial, complex case, we may be able to act for you on a NO WIN, NO FEE basis. With strict time limits in place for making a data breach claim against an educational body (currently all breaches going back six years could be subject to a claim), it’s important to act now.


equifax data breach even worse

Equifax data hack letter – What to do next

If you are one of a number of people who has received a letter from Equifax tell you that your data has been involved in the Equifax data hack you may be worried and unsure what to do next.

Firstly. Its important for you to know that the FCA is now investigating this matter.

The good news for consumers is that the FCA has considerably more powers that the ICO and so this ensures that the matter is being treated seriously.

Secondly, unfortunately you are not alone its estimated that up to 400,000 people in the UK may have been affected by the Equifax hack.

Thirdly – We are looking into starting a group action claim to better protect the individuals affected.

If you want to be part of this claim or you would like more information then register with us via our secure form.

You can also call us if you have any questions about the process.

Once you have registered with us:

  • It’s important to keep a ‘diary’ or note of events since the hack – for example has your card been used without permission?
  • Are there transactions that you bank have picked up that you haven’t made?
  • Are you getting more ‘spam’ or junk email – With your name on? -I so create a folder and keep it – this may be relevant
  • Are you anxious or worried by the thought of people being able to access your data? Has this caused you any distress?

We will keep you updated about any new breaches via our facebook page and newsletter and also notify you when we know more about the equifax hack.


equifax data breach even worse

Equifax hack – More information

Equifax Data Hack – More information…

In December the FCA (Financial conduct authority) confirmed that they are investigating Equifax over the massive data hack.

Over 100,000 UK customers may have been affected by this hack.

We are still hearing from clients who are only now receiving letters from Equifax.

We would urge you to check your post and email and if you do get a letter contact us for further advice about what to do.

You are entitled to some level of compensation for this hack of Equifax.

If you want more information or to make a claim contact us today via our secure form

Once registered with us or if you have received a letter:

  • It’s important to keep a ‘diary’ or note of events since the hack – for example has your card been used without permission?
  • Are there transactions that you bank have picked up that you haven’t made?
  • Are you getting more ‘spam’ or junk email – With your name on? -I so create a folder and keep it – this may be relevant
  • Are you anxious or worried by the thought of people being able to access your data? Has this caused you any distress?

We will keep you updated about any new breaches via our facebook page and group and also notify you when we know more about the equifax hack.

To register your claim today visit our secure data breach form

Brexit and Data Protection. What Do You Need To Know


Brexit has dominated the news for the last several months, and there’s little doubt that it’s going to continue to dominate for the next couple of years. While this might be good news for journalists and politicians (depending on their political leanings), the big question is how Brexit is going to affect ordinary people in their daily lives?

From our perspective here at Hayes Connor Solicitors, we’ve been watching closely so that we can continue to advise you. One area of particular interest is how Brexit might impact  your data protection rights

In the UK, at present, the regulation and protection of personal data is governed primarily by the Data Protection Act 1998. It’s a piece of national legislation, and Brexit will not change this.


The Government has also confirmed that the General Protection Data Regulation (GPDR), devised by the EU, will be implemented into UK law from May 2018. The regulation is intended to enhance and develop the provisions of the Data Protection Act.

The GDPR is being introduced to establish a single set of rules across Europe. It is hoped that this will make it easier and cheaper for organisations to do business across the EU. There will also be a substantial increase in fines for organisations that do not comply with the new regulation.


You can find out more about GDPR on the Information Commissioner’s Office (ICO) website.


With most people believing that Brexit will take two years to complete from when the Government starts the formal process, it’s unlikely that Brexit will be concluded by the time GPDR becomes law. Therefore, the regulation will form part of UK law, at least for a certain period. However, when Brexit is finally achieved, the regulation will cease to be part of UK law.

That said, due to the importance of the provisions contained within GDPR, it is in the UK’s best interests to preserve the rights of individuals and businesses, as this allows people to supply and receive services across geographical boundaries effectively and securely.

While the future of Brexit may not be clear, the importance of data protection and regulation is so pervasive in our global society, that Brexit is likely to have little or no impact on the rights of businesses and individuals to operate safely and securely in an ever increasing digital world.

If you have been the victim of a data breach, contact Hayes Connor Solicitors today.  Our initial evaluation is always free of charge, and there’s never any obligation to take things further.

Alternatively, you can find out more about making a data breach compensation claim on our website. 
With strict time limits in place for making most compensation claims, if you want to achieve maximum redress in the minimum amount of time, it’s important to act now.