Posts

data breach appeal
, ,

Morrisons loses data breach appeal

Supermarket Morrisons has lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. However, Morrisons went on to challenge this decision.

The employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

The Court of Appeal upheld the original decision against the supermarket with three judges saying they agreed with the High Court’s earlier decision.

 

Where Next

Over the last 18 months, we have seen numerous examples of significant personal data loss. Many of these violations have been able to occur due to weaknesses contained in companies’ IT software.

As the trend towards a cashless society accelerates, this will only continue as retailers and other businesses seek quicker and slicker interfaces with their consumers. Both at the point of sale and throughout their customer journey.

In the case of Morrisons, significant steps were taken to protect data, but those steps failed. In this instance, the data was lost at the hands of an employee turned hacker. However, data is also at threat simply due to careless employees going about their day-to-day business.

The latest ruling is the tip of a very large iceberg. Mass data breach actions are also being made against Ticketmaster and British Airways among others. Such actions, when properly prepared and investigated, will have significant financial consequences in terms of damages and costs.

Data breaches on a large scale are a real and pressing threat. In response, the clear and overwhelming view of the Court of Appeal is that such events must be foreseen by companies, and insured against.

The reaction of the insurers to such events, their provision of cyber cover and premium costs is now under the spotlight. Indeed, we predict a situation where the volume of exclusions to policies will increase.

Companies must now protect themselves better from data loss. But they also need to be extremely vigilant as to the activities and errors of their employees to be afforded the cover they pay for, or think they pay for.

 

If you have been affected by this or any other data breach then you can get in touch with our experts today

data breach solicitors
,

What are your rights if you are ‘named and shamed’?

A restaurant in Cardiff recently hit the news after its owner took to Twitter when a customer missed her reservation. The screenshot of the booking, posted on Twitter, revealed the customer’s name, telephone number and email address. Not only did the post disclose her personal details, but it also triggered a torrent of abuse from other users of the social media site.

When that prospective diner made her reservation, she likely didn’t bank on her personal information being shared all over the Internet. And, while diners who don’t show up are undoubtedly a genuine problem for restaurants, the owner’s decision to ‘name and shame’ the customer wasn’t just poor etiquette, it was a serious violation of her privacy.

We live in a world in which we’ve grown accustomed to sharing our personal information with relative ease – be it on social media sites, through online shopping, or even making a reservation at a restaurant. Unfortunately, this means we are sometimes at risk of that information being shared or used in ways that are inappropriate, or even illegal. So what happens when you become the victim of a data breach?

 The use of personal data is currently governed by the Data Protection Act 1980. This Act is designed to protect storage of personal data, and its rules apply to any organisation, public or private, that has access to third-party data. While data seems like a very technical term, it actually covers all manners of personal information – from things such as name, address, or ethnicity, to more sensitive material such as religious beliefs, expressions of opinion, and sexual orientation.

The Data Protection Bill is currently making its way through Parliament in order to better protect people who share their data. It is intended to update British law, paralleling the EU’s incoming General Data Protection Regulation. This modernisation is a response to the ever-increasing amount of data that is processed, and according to Government, it will strengthen regulations, with tougher sanctions for breaches.

Those sanctions are implemented by The Information Commissioner’s Office (the ICO). The ICO is an independent body that investigates breaches – any individual can report a concern to the ICO, and it will be looked into. The ICO has a range of tools open to it – it can serve enforcement notices, conduct audits, and most notably, it has the power to impose fines of up to £500,000.

Further, when a breach is so serious as to constitute a criminal offence, the ICO can take the matter to court. Recent examples of those prosecuted include a nurse who inappropriately accessed patient files, and a counsellor who sent details of vulnerable clients to his personal email address – data breaches can occur in many different ways, and the consequences can be severe.

However, the ICO does not have the power to award compensation to those who have been directly affected by a data breach. In a case like that of restaurant reservation, where the violation was not only intentional but also arguably malicious, a victim may want to take further action. If the ICO has found an organisation guilty of a data breach, lawyers can work with the evidence that it provides to take private legal action. It isn’t strictly necessary to go to the ICO first, but their findings can strengthen any claim made.

When you supply your information to an organisation, you trust that that information will be used and stored appropriately. This isn’t just a social nicety – it can constitute a legal relationship. The organisation has a duty to you. If that duty is breached, and that breach causes you to suffer a loss, you may be entitled to compensation.

This suffering can be both financial and emotional. In 2015, a group of people brought a successful claim against Google after learning that the company had used their personal information to create targeted advertisements. This was deemed to be misuse of private information. The claimants suffered no financial loss – their claim was based purely on the fact that knowledge of third party access to private information caused them to feel distress and anxiety.

While the customer whose information was shared on Twitter might not necessarily have incurred a financial loss, she was subject to abusive comments from other people online. If this caused her distress, or anxiety, she could be entitled to damages to cover that loss.

In this case, the abuse may well be considered as an aggravating element of the data breach, but online abuse can constitute a separate criminal offence. “Trolling” – the abuse of individuals online – can be prosecuted under the Malicious Communications Act 2003. The threshold for prosecution is high, but with cybercrime on the increase, more measures are being taken to protect victims of online abuse. Another recent cybercrime phenomenon is “doxxing” – the publication of personal information that encourages harassment or criticism of the individual to whom it relates. Perpetrators can be charged under the Serious Crime Act 2007 – naming and shaming can in effect be a criminal offence.

Violations of your right to privacy are extremely serious, and the consequences can be so too. If you think you’ve been the victim of a data breach, you can contact the ICO, or get in touch with a lawyer. It’s easy to become desensitised to the importance of protecting your information, but if something as simple as making a dinner reservation can lead to a stream of online abuse, it shows that when it comes to data protection, it’s important to know your rights.

 

If you’ve been a victim of a data breach you can contact us to find out more about making a claim.

,

TSB: What are your rights following the recent data breach?

Following a bungled IT upgrade over the weekend, many TSB mobile and internet banking customers are still unable to access their accounts. And, according to reports, up to 1.9 million could be affected. To make matters worse, some customers have reported that they have been given access to random bank accounts worth thousands of pounds in what could be a terrible breach of personal data.

With many customers now calling for compensation from TSB, it is important that you know your rights.

Getting compensation from the bank

In 2012, The Royal Bank of Scotland was fined £56 million by regulators after a software upgrade left more than 6.5 million customers locked out of their accounts. The bank also paid over £70 million to UK customers. So people who haven’t been able to access their money over the last few days could be in line for compensation.

However, in the TSB case, the breach of personal information could also lead to a raft of data breach compensation claims against the bank.

Currently, both the Financial Conduct Authority and the Information Commissioner’s Office (ICO) are investigating the IT breakdown. But while they have the power to fine TSB for the failed system upgrade and any data breaches, they do not provide compensation to customers.

So, what can you do if your bank details were put at risk?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. If you are worried that your banking details have been exposed by TSB, there are a few simple steps you can follow.

  1. Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  2. Read our handy step-by-step guide to making a data breach claim
  3. If you are offered any form of compensation or free services for not being able to access your funds it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  4. Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

Can you claim compensation if you didn’t lose any money?

In short, yes. In fact, while some people would have us believe that claiming for distress is an overreaction the law doesn’t agree with them.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

Organisations have a duty to protect your sensitive data. And letting other people access our bank accounts is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

Start a compensation claim against TSB

If you want to make a compensation claim against TSB, contact Hayes Connor ASAP. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you. Our initial assessment is always free.

If you want to find out more about claiming for a data breach you can contact us here

facebook data
,

Facebook to alert you if your data was shared

From today, Facebook will begin notifying the 87 million people whose personal information may have been improperly shared with Cambridge Analytica.

If your data was leaked, you will receive a message from Facebook at the top of your news feed. This will provide details on how you are affected. You will receive this message if you or your friends used Facebook to log into the This Is Your Digital Life app.

Also, all other Facebook users will receive a notice helping them to turn off specific apps or shut down third-party access to their apps entirely.

While most of those affected are in the US, some people in the UK have also had their details breached. It is understood the messages will be sent out at about 5pm in the UK.

Facebook is now facing investigation both in the UK and the USA. If the social media giant is found to be in breach of the data protection act, you could be entitled to compensation.