data breach solicitors

What are your rights if you are ‘named and shamed’?

A restaurant in Cardiff recently hit the news after its owner took to Twitter when a customer missed her reservation. The screenshot of the booking, posted on Twitter, revealed the customer’s name, telephone number and email address. Not only did the post disclose her personal details, but it also triggered a torrent of abuse from other users of the social media site.

When that prospective diner made her reservation, she likely didn’t bank on her personal information being shared all over the Internet. And, while diners who don’t show up are undoubtedly a genuine problem for restaurants, the owner’s decision to ‘name and shame’ the customer wasn’t just poor etiquette, it was a serious violation of her privacy.

We live in a world in which we’ve grown accustomed to sharing our personal information with relative ease – be it on social media sites, through online shopping, or even making a reservation at a restaurant. Unfortunately, this means we are sometimes at risk of that information being shared or used in ways that are inappropriate, or even illegal. So what happens when you become the victim of a data breach?

 The use of personal data is currently governed by the Data Protection Act 1980. This Act is designed to protect storage of personal data, and its rules apply to any organisation, public or private, that has access to third-party data. While data seems like a very technical term, it actually covers all manners of personal information – from things such as name, address, or ethnicity, to more sensitive material such as religious beliefs, expressions of opinion, and sexual orientation.

The Data Protection Bill is currently making its way through Parliament in order to better protect people who share their data. It is intended to update British law, paralleling the EU’s incoming General Data Protection Regulation. This modernisation is a response to the ever-increasing amount of data that is processed, and according to Government, it will strengthen regulations, with tougher sanctions for breaches.

Those sanctions are implemented by The Information Commissioner’s Office (the ICO). The ICO is an independent body that investigates breaches – any individual can report a concern to the ICO, and it will be looked into. The ICO has a range of tools open to it – it can serve enforcement notices, conduct audits, and most notably, it has the power to impose fines of up to £500,000.

Further, when a breach is so serious as to constitute a criminal offence, the ICO can take the matter to court. Recent examples of those prosecuted include a nurse who inappropriately accessed patient files, and a counsellor who sent details of vulnerable clients to his personal email address – data breaches can occur in many different ways, and the consequences can be severe.

However, the ICO does not have the power to award compensation to those who have been directly affected by a data breach. In a case like that of restaurant reservation, where the violation was not only intentional but also arguably malicious, a victim may want to take further action. If the ICO has found an organisation guilty of a data breach, lawyers can work with the evidence that it provides to take private legal action. It isn’t strictly necessary to go to the ICO first, but their findings can strengthen any claim made.

When you supply your information to an organisation, you trust that that information will be used and stored appropriately. This isn’t just a social nicety – it can constitute a legal relationship. The organisation has a duty to you. If that duty is breached, and that breach causes you to suffer a loss, you may be entitled to compensation.

This suffering can be both financial and emotional. In 2015, a group of people brought a successful claim against Google after learning that the company had used their personal information to create targeted advertisements. This was deemed to be misuse of private information. The claimants suffered no financial loss – their claim was based purely on the fact that knowledge of third party access to private information caused them to feel distress and anxiety.

While the customer whose information was shared on Twitter might not necessarily have incurred a financial loss, she was subject to abusive comments from other people online. If this caused her distress, or anxiety, she could be entitled to damages to cover that loss.

In this case, the abuse may well be considered as an aggravating element of the data breach, but online abuse can constitute a separate criminal offence. “Trolling” – the abuse of individuals online – can be prosecuted under the Malicious Communications Act 2003. The threshold for prosecution is high, but with cybercrime on the increase, more measures are being taken to protect victims of online abuse. Another recent cybercrime phenomenon is “doxxing” – the publication of personal information that encourages harassment or criticism of the individual to whom it relates. Perpetrators can be charged under the Serious Crime Act 2007 – naming and shaming can in effect be a criminal offence.

Violations of your right to privacy are extremely serious, and the consequences can be so too. If you think you’ve been the victim of a data breach, you can contact the ICO, or get in touch with a lawyer. It’s easy to become desensitised to the importance of protecting your information, but if something as simple as making a dinner reservation can lead to a stream of online abuse, it shows that when it comes to data protection, it’s important to know your rights.


If you’ve been a victim of a data breach you can contact us to find out more about making a claim.


TSB: What are your rights following the recent data breach?

Following a bungled IT upgrade over the weekend, many TSB mobile and internet banking customers are still unable to access their accounts. And, according to reports, up to 1.9 million could be affected. To make matters worse, some customers have reported that they have been given access to random bank accounts worth thousands of pounds in what could be a terrible breach of personal data.

With many customers now calling for compensation from TSB, it is important that you know your rights.

Getting compensation from the bank

In 2012, The Royal Bank of Scotland was fined £56 million by regulators after a software upgrade left more than 6.5 million customers locked out of their accounts. The bank also paid over £70 million to UK customers. So people who haven’t been able to access their money over the last few days could be in line for compensation.

However, in the TSB case, the breach of personal information could also lead to a raft of data breach compensation claims against the bank.

Currently, both the Financial Conduct Authority and the Information Commissioner’s Office (ICO) are investigating the IT breakdown. But while they have the power to fine TSB for the failed system upgrade and any data breaches, they do not provide compensation to customers.

So, what can you do if your bank details were put at risk?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. If you are worried that your banking details have been exposed by TSB, there are a few simple steps you can follow.

  1. Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  2. Read our handy step-by-step guide to making a data breach claim
  3. If you are offered any form of compensation or free services for not being able to access your funds it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  4. Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

Can you claim compensation if you didn’t lose any money?

In short, yes. In fact, while some people would have us believe that claiming for distress is an overreaction the law doesn’t agree with them.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

Organisations have a duty to protect your sensitive data. And letting other people access our bank accounts is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

Start a compensation claim against TSB

If you want to make a compensation claim against TSB, contact Hayes Connor ASAP. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you. Our initial assessment is always free.

If you want to find out more about claiming for a data breach you can contact us here

data breach solicitors

Do you have a data breach claim against a school?

Do you have a data breach claim against a school?

Schools, colleges and universities handle lots of sensitive personal data, and it’s vital that this is kept safe. Especially where children are involved. However, all too often, educational organisations either aren’t are aware of their obligations or haven’t done enough to ensure that they meet them.

If you or a member of your family has suffered damage or distress caused by a school, college or university breaching any part of the Data Protection Act, you could have the right to claim compensation.

Has your child’s school failed to keep your data safe?

Schools must keep information secure and prevent breaches. Where schools fail to keep this information safe the Information Commissioner’s Office (ICO) can issue fines, and you might have a claim for compensation.

For example, photos and videos of your child taken by the school may be covered by data protection legislation, and you should be told why they are needed and where they will be used. You should also be asked to provide your consent for these to be used.  Likewise, sending information to estranged parents who do not live together without the appropriate permissions could result in a data breach.

The General Data Protection Regulation (GDPR), which is set to be introduced later this year, extends data protections even further. For example, schools and universities will be banned from making exam results public without the consent of students.

There are even greater legal protections in place for Sensitive Personal Identifiable Information (SPII) such as name, date of birth, address, race or ethnicity, religious beliefs, physical or mental health, sexuality, criminal offences, etc.

Has your child’s school collected or used your data without your consent?

 Schools must comply with fair processing/privacy notices. This means that they must set out the data they require, tell you why they need it, and obtain your consent to collect and use this data.

Under the GDPR all consent must be “freely given” with separate approvals provided for different processing purposes. There must also be a “positive and unambiguous indication of agreement”, so no agreement can be assumed from silence, inactivity, or pre-ticked boxes. Also, your consent can be withdrawn at any time.

If data is being passed on to a third party (e.g. other parents, schools, social services, etc.), you also must be told why and give your consent, even if the information has been requested by a public body (e.g. the police). Failure to do this could be a breach of data protection rules, give rise to significant fines, and open up schools to compensation claims. The only exception to this rule is where a failure to share information may place a child at risk of harm.

Has your child’s school refused or ignored an information access request?

 Pupils have the right to see their personal information if they ask for it. However, parents and guardians don’t have the right to access their children’s personal data (apart from their educational records) unless they have consent from the child, or the child is unable to act on their own behalf.

Is the data held on you and your child out of date?

 Schools must make sure any data held is up-to-date. To do this, they should carry out regular information audits and ask you to check that your details are correct. If a school keeps data for longer than it is needed, then it will violate the Data Protection Act.

Has your school told you about a data breach?

Your school must have robust procedures for detecting, reporting, and investigating any data breaches. Should a breach occur, they are legally obligated to tell the ICO without “undue delay.”

Can you make a data breach claim against a school?

Where a school fails in its data protection obligations, and you suffer some form of damage (financial or physical) or distress as a result, we can help you make a claim. Our professional, friendly team will advise you on whether you have a valid claim against a school, college or university. If you are not sure whether your sensitive information has been misused or mishandled, we can find this out for you.

If we believe you have a substantial, complex case, we may be able to act for you on a NO WIN, NO FEE basis. With strict time limits in place for making a data breach claim against an educational body (currently all breaches going back six years could be subject to a claim), it’s important to act now.


facebook data

My data has been breached. What do I do?

My data has been breached… What do I do?

At Hayes Connor we deal with a number of cases where a clients data has been breached. In order to start a data breach claim we need to go through a number of details with you.

Each case is different as with any area of law but if you think that your data has been breached the first thing that we will ask is if you have reported this to the ICO?

The ICO is the body who will do an initial investigation on your behalf and then they may take action against the company who has commited the breach.

If you have been informed that you are informed that your data has been breached then you can make a claim for compensation – the Information Commissioner’s Office has issued information about what to do if you have been part of a breach.

ICO Guide for Data Breach and Cyber Crime – Click Here

You can also find information about what to do if your data has been breached as well being able to start your claim on our website

Click here 

Success Fees – FAQ’s


Success Fees are a mechanism by which a Solicitor will enter into an agreement with you for you to pay up to 25% of the damages you recover to that Solicitor in Costs. The Fee is only payable if the claim is successful and damages recovered. However, in some cases, your solicitor might charge a 0% success fee. This means you’ll receive 100% of any compensation awarded.


In the main, they mean that you will be paying part of your solicitor’s charges for running the claim for you. This being the case the Solicitor should account to you for the work they have done to justify charging the success fee. If they do not you may be able to challenge that fee.


In the main, because they are only entitled to fixed amounts of fees from Insurances companies who you are claiming against. This is the case for all Road Accident and Employer/Occupier or Public Liability claims with a value under £25,000 in damages.

Often the work that a solicitor will do for you in these cases will amount to a greater figure than the fixed costs available to them.


At all times a clear explanation of the fees they are going to charge you and why they are charging. They should be clear on the amounts, the timing of the payments and any other options you may have to fund that claim such as legal expense insurance you have already paid for elsewhere.


This is where you need to read the small print. There are many different approaches to the deduction of success fees and whether they include VAT, exclude VAT or have some element of administration charge or insurance product charge added. Always ask for a breakdown at the outset of how a fee is charged and an example.


Most Solicitors will not advertise their fee charges nor publish guidance on a website or other media for you to review. Always look at the No Win No Fee section of any material published and simply ask the question.

At Hayes Connor we work on a No Win No Fee basis and any success fee that is applicable will not exceed 25%. In some cases, particularly group actions, we offer 0% success fees.

cybercrime claims

Cyber Defamation

Have you been the victim of Cyber defamation? You can contact us to see if you may have a claim for compensation.

1. What is expression and defamation?

It is accepted in a democratic society that individuals have a right to express their own views and preferences. The Internet offers extensive potential for individuals and organisations to do this.

‘Defamation’, on the other hand, involves an abuse of freedom of expression whereby statements that may have a harmful impact on a person’s reputation are published.

Obviously it is important to ensure that unfounded claims should not be allowed to damage a person’s reputation, but it is also important for the law to balance such protections with the rights to freedom of expression that are a critical element of democratic societies. The issue of defamation has become a central issue in the use of the ‘Net because some corporations now use the threat of a legal action for defamation as a means to restrict the actions of groups or individuals campaigning against their activities. (See case study examples on notice and takedown).

2. How are defamation and freedom of expression covered by the law?

In the UK The Human Rights Act 1998 implements the European Convention on Human Rights (ECHR). Under the Convention:

  • The right to respect for an individual’s private and family life, home and correspondence is guaranteed under Article 8;
  • Rights of freedom of thought and expression are covered by Article 9;
  • Rights to freedom of expression and association are guaranteed under Articles 10 and 11.

These rights may have limitations put on them ‘as prescribed by law’ and which are ‘necessary in a democratic society’. The qualifications to these rights are the subject of continuing legal debate and case law.

The Defamation Act 1996 is the main UK law governing defamation. A defamatory statement can be published in:

  • Verbal form, when it is classed as slander – because only the spoken word is involved, slander can often be difficult to prove; or
  • Written form, when is classed as libel – a case for libel is easier to bring because evidence can be documented.

Material may have the potential to defame someone if:

  • The statement made would make an ordinary person modify their opinions of a person as a result of hearing or reading the statement.

Under UK law it is possible to defame corporations as well as individuals.
Defamation actions in relation to the Internet have so far involved libel. Libel must be widely ‘published’. You could libel someone using electronic networks by:

  • Sending an email, or an email attachment, where that email is widely posted or forwarded;
  • Making material available via a web page;
  • Posting to an email list or newsgroup; or
  • Streaming audio or video via the Net.

Anyone who actively transmits defamatory material is liable as part of any legal action. Most standard contracts for Internet services include conditions relating to defamation.

The 1996 Act creates a category of ‘special publisher’, where;

  • the material transmitted is passed automatically by electronic systems without their involvement; or
  • they are only the suppliers of the equipment or systems that enable publishing or distribution.

The Act also outlines the framework for prosecuting cases of alleged defamation, as well as various defences for anyone prosecuted along with the author of the material. To successfully defend against prosecution you must show that:

  • You were not the author, editor or publisher of the material;
  • That you had taken ‘reasonable care’ to prevent the publication of any defamatory material; and
  • That you did not know, or had reason to believe, that the material was defamatory, and that your transmission did not contribute to the construction of the defamatory material; or
  • The reputation of the ‘defamed’ person is such that the material could not conceivably change the average person’s views on them.

The current legal framework will probably be revised as part of new legislation for electronic commerce and electronic media.

If a person discovers that material that is damaging to their reputation is about to be disclosed, they could bring an injunction to prevent publication (on the basis of the damage it would cause, rather than on grounds of defamation). If the alleged defamatory material is already in the public domain, an injunction could be requested to force the removal or recall of the material before the case is heard.

3. How do defamation laws threaten civil liberties?

Companies and individuals may threaten a defamation action or use an injunction to silence their critics or campaigners. An injunction can be instantly actioned and prosecuted, regardless of whether it is justifiable. Given this, and the difficulty of fighting actions through the higher courts, some corporations have used injunctions rather than defamation actions to tackle problems with groups or campaigns.

Internet service providers, like other publishers, will not normally defend a claim of defamation. Rather than risk the costs of a legal action, many will simply remove the allegedly offensive material and undertake not to allow its future publication.

Filtering and blocking systems can be used in computers and Internet servers as a much simpler, and more effective, means for controlling access to material:

  • Filtering sifts packets of data or messages as they move across computer networks and eliminating those containing ‘undesirable’ material; and
  • Blocking prevents access to whole areas of the Internet based upon an address or location.

Concerns have been raised about the use of blocking and filtering software and the impact on freedom of expression. In the US, where such systems are widely used, a wide range of sites have been blocked; as well as those deemed ‘offensive’ because of their sexual or violent content, other sites seem to get blocked on the basis of their political content.

Filtering and blocking mechanisms are increasingly being used to control public access to sites critical of the state or status quo. Some states (such as China and Singapore) require the installation of this software, making it a form of indirect state censorship. Lists of blocked sites are usually protected under legal regulations on intellectual property, so it is difficult to have an informed debate about the civil liberties implications of such censorship.



What is No Win No Fee


A no win, no fee agreement is an arrangement between you and your solicitor. Also known as a Conditional Fee Agreement, if your claim is not successful, you won’t have to pay any money for the work carried out (providing you have not misled us).

No win, no fee agreements help people get the compensation and rehabilitation they need following an accident that wasn’t their fault.


From the very first time you speak to us, you’ll find us compassionate, friendly, and experienced. While each case is different, we can usually tell you straight away if you have a claim or not.

Once you have confirmed that you want to proceed on a no win no fee basis, we’ll remove the hassle and take care of all the complex legal work for you. And, because we want you to be able to get on with the rest of your life as soon as possible, a straightforward claim can be settled within as little as two to five months*.

Find out more about our hassle-free claims process. .


If your claim is successful (and that’s what we all want!), you’ll have to make a contribution to your solicitor’s costs. This ‘success fee’ is taken from the compensation awarded to you. The amount of the success fee depends on when your case is settled, but with us you’ll never have to pay more than 25% of your compensation.

Contact our expert personal injury specialists on 0330 995 0070 and start making your no win no fee compensation claim today.

There’s no obligation to proceed, and the call is completely confidential.



*More complex cases may take longer

What are No Win No Fee Agreements

data breach claims

Data breach compensation claims. Is your business protected?



With your confidential data one of your most valuable assets, and an estimated 1,266% jump in cyber fraud in 2016, it’s vital that your business is alive to the commercial consequences of breaching the personal data of your clients, employees, and competitors.


Under the Data Protection Act you must:

  • Use personal information fairly and lawfully
  • Collect only the information necessary for a specific purpose(s)
  • Ensure it is relevant, accurate and up to date
  • Only hold as much info as you need, and only for as long as you need it
  • Allow the subject of the information to see it on request
  • Keep all such data safe and secure.

In addition to protecting you from data breach compensation claims – and the financial implications associated with such actions – sound information management practices also make good business sense; boosting your reputation and increasing customer confidence.


As a very minimum, to ensure that your business is fully compliant with its data obligations, you need to consider:

  • Installing adequate firewalls
  • Regularly and routinely checking for viruses and malware
  • Ensuring all operating systems are updated and implemented regularly
  • Preventing staff members from sharing passwords
  • Encrypting personal data
  • Removing personal data from old computers
  • Identifying and recording what personal data is held and stored by the business
  • Making sure you have robust security systems in place to prevent data theft
  • Adding restrictive covenants into staff contracts (find out more about protecting your business from internal threats) {links to blog 22}
  • Establishing adequate policies to deal with issues such as marketing practices, social media use, and confidentiality
  • Making sure staff are trained and informed in matters relating to security and confidentiality
  • Establishing monitoring processes to detect any data breaches (and what you need to tell customers should the worst happen)
  • Liaising with the Information Commissioner’s Office (ICO) to develop and deploy compliant systems


To help you meet your obligations, download the ICO’s data protection self-assessment toolkit.



The ICO can issue an enforcement notice compelling a business to remedy a breach of the Data Protection Act. The sanction is made public, advertised on the ICO’s website, and carries significant harm to the reputation of the company concerned.

In addition to the issuing of an enforcement notice, the ICO can also issue financial penalties of up to £500,000. Recent fines against businesses include a telecommunications company being fined £440,000 for sending spam text messages, and an NHS Trust fined £325,000 for allowing the sensitive personal data of patients to be sold on eBay.

Stealing sensitive information is also a crime, so if a disgruntled or former employee of a competitor steals and then offers such info to you, the matter could be referred to the police. The  individual or company accused of stealing personal data could face criminal investigation and prosecution by the ICO, which leads, after conviction, to fines. If you obtained any financial benefits or competitive rewards because of stolen information, you may also be required to hand this back to the originating company.

The introduction of the General Data Protection Regulation (GDPS) from May 2018, will only serve to strengthen the powers of the ICO in combating data breaches. 

As such, we would recommend that all businesses be proactive in their relationships with the ICO, the public and their customer base in advance of this new regulatory regime. If they do not, an increase in fines from the regulator and an increase in civil claims will only cause long term economic difficulties to the business – as well harming its reputation in an ever increasing competitive marketplace.


Find out more about the data loss compensation process on our website

Alternatively, if your business has suffered a data breach due to the negligence or illegality of others, contact Hayes Connor Solicitors today.

Our initial evaluation is always free of charge, and there’s never any obligation to take things further.  With strict time limits in place for making most compensation claims, if you want to achieve maximum redress in the minimum amount of time, it’s important to act now.

data breach compensation

What To Do If Your Business Data Has Been Breached


Your company’s confidential data is one of its most valuable assets. Customer information databases, IP, trademarks etc. all help to give a competitive edge and can be the difference between success and failure.

The good news, is that data protection does not just apply to individuals and consumers. Businesses have rights too, and as such, where a mistake or other breach has occurred, companies can make a business data breach claim for compensation.


Businesses can protect themselves and their assets in a number of different ways. With prevention always better than cure. So, if you are entrusting your valuable data to a third-party, it always pays to make sure that they have adequate processes in place. At the very least this should include:

  • Secure firewalls
  • Anti-virus and anti-malware software
  • Regular and robust backup processes
  • A process for updating operating systems on a regular basis
  • Processes that prevent staff members from sharing passwords
  • Reliable encryption
  • Processes to remove outdated info
  • Processes to identify and record what personal data is held and stored by the business
  • Compliance with the Information Commissioner’s Office (ICO).

Of course, your own business should also adopt best practices when it comes to the above. 


What happens if a bank, financial institution or a trusted professional adviser of the business loses confidential data such as bank statements or financial material relating to the business?

Just like an individual, your business can pursue a claim for damages against the party who has either deliberately or negligently breached your confidential data.  

Due to the consequences of losing such information, the level of damages that may be awarded is likely to be substantial. Not just for the breach itself, but also to include the consequential damages and losses suffered by the business as a result.


“87% of employees take sensitive data with them when they leave a company, whether voluntarily or involuntarily.”

As well as protecting your business against external threats, you should also do everything you can to protect yourself from internal ones. This includes:

  • Making sure you have robust security systems in place to prevent data theft
  • Establishing monitoring processes to detect a data theft
  • Ensuring restrictive covenants are written into staff contracts. These prevent staff from sharing sensitive information once they have left your employ
  • Ensuring adequate policies are in place to deal with issues such as social media use
  • Ensuring these policies are communicated to employees.

However, stealing personal information is a crime, so if a disgruntled or former employee steals and then sells or misuses sensitive commercial information to obtain a financial benefit for themselves, or to provide a commercial advantage to a competitor, you can refer the matter to the police. You also have the right to criminally prosecute the individual in question.

In addition, where a theft has occurred you have the power to obtain injunctions to prevent the material being used or disclosed in the first instance, and thereafter you can apply to seize and obtain any financial benefits or rewards the employee or the competitor has achieved with the use of the information that was stolen.

Helping you to achieve the maximum amount of compensation, in the minimum amount of time, if your business has suffered a data breach due to the negligence or illegality of others, contact Hayes Connor Solicitors today.

Our initial evaluation is always free of charge, and there’s never any obligation to take things further.  Alternatively, you can find out more about making a business data loss compensation claim on our website. 

With strict time limits in place for making most compensation claims, if you want to achieve maximum redress in the minimum amount of time, it’s important to act now.