What is a Data Breach Claim?
“Someone stole my personal information and I want something done about it now!”
A very human, and natural reaction to theft. If someone steals your car or breaks into your house and steals your personal possessions you rightly expect the police to come, investigate and hopefully catch the perpetrator and ideally return your stolen property. OK so in today’s age police forces are stretched. A lack of resources means that crimes like this — are less likely to be prosecuted successfully than ever. But you can rightly expect to be able to claim compensation from your insurer to cover your losses.
“Surely the same is true of data and information theft, after all, theft is theft, right?
Well, no, it’s not the same.
Before we go any further for ease of reading the terms “data” and “information” are used interchangeably in this post. It’s worth remembering that data is a collection of facts, which in and of themselves have no meaning. Information puts those facts into context. For example, your age is data. Your age and what you read in the last month could be classed as information. Either way, if an organisation loses data or information, they are responsible for it under data protection law.
It can be daunting when as an individual you need to understand your rights in any situation dealing with law and your rights. The avenues available to you for seeking compensation in the aftermath of a data breach are not simple to navigate. BUT we can help you navigate through them. This post will provide some key insights into data breach compensation and claims in the UK. After reading this, you will be in a much stronger position. Without knowing the law, you can never hope to have it work for, and with you.
Data Protection Laws in the UK
The UK was subject to the Data Protection Act (DPA) 1998, which aimed to regulate the processing of personal data. However, with the implementation of the General Data Protection Regulation (GDPR) in May 2018, the landscape of data protection significantly changed. The GDPR provides comprehensive guidelines for data protection, data breach notifications, and the rights of data subjects, enhancing individuals’ control over their personal data.
Data Breach Notification
Under the GDPR, data controllers are obligated to report significant data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Additionally, affected individuals (data subjects) must be notified if the breach poses a high risk to their rights and freedoms. Proper and timely notification is the key here, as it allows victims to take appropriate measures to protect themselves from further harm. Businesses that process and control personal information are now under quite some pressure to ensure their processes minimise the reach of data being stolen, however, the process still does not make it easy to approach these companies as individuals.
Establishing Liability for Breaching Your Data
To seek compensation for a data breach in the UK, individuals must demonstrate that the data controller or processor was responsible for the breach due to negligence or inadequate security measures. Proving liability can be challenging, and it often requires expert legal assistance to build a strong case. You do not have the right to demand investigations or supporting information from the data processor, and in any case, these organisations tend to be less concerned about individuals and more geared up for dealing with corporate clients. However, as a data subject, who has had data stolen, you do have the right to claim for a data breach. A data breach claim (not the most imaginative name) can be made if the following criteria have been fulfilled:
- The data was lost or stolen in a successful hacking attempt or was lost due to gross negligence on the part of the controller/processor.
- Your data was sent to a third party without your express permission.
- The organisation (or Individual) had not kept accurate information about you, or it was not kept up to date and that inaccuracy has caused your material (e.g., it cost you money) or non-material damage (stress, personal harm to your reputation) (more on that later).
- Your data was used “inappropriately” e.g. A software company that you bought a product from passes your data to a third party who processes it for targeting you with medical insurance advertising.
When and Where to Submit a Data Breach Claim
One key right you have is one you have always had. It’s the right to discuss the data breach with the organisation at fault. The best advice is to start the process with an expert in data protection law who can step you through the process and give you solid legal advice.
If you suspect your personal data has been involved in a breach your first step should always be to contact the data processor/controller (ideally via the aforementioned expert) and demand a disclosure of the data that has been breached. Data protection law is quite clear about always first trying to sort an acceptable settlement “out of court”.
You can then enter into the process of negotiating directly with the organisation (or individual) to secure a satisfactory conclusion. If this proves unsuccessful, you do have the right to take the case to court and seek a legal judgement on your case, however, you must notify the third party who caused the breach of your intention to take the matter to the courts for resolution. You should only do this if all other possible avenues for resolving the matter have been explored, as it is very likely that any cooperation you had with them will be swiftly withdrawn the second they know you intend to “go all legal” on them.
If you are unable to reach a satisfactory conclusion you can apply to a court with an action to enforce your rights under data protection law.
Compensation and Damages
If you do decide to “go legal” In the UK, as a data breach victim you can seek compensation for both financial and non-financial damages resulting from the breach. Financial damages may include direct financial losses, while non-financial damages encompass emotional distress, anxiety, and reputational harm. The courts will assess the extent of the harm and determine appropriate compensation accordingly.
From the analysis of previous breach claims in the UK, you can reasonably expect to see compensation for the various types and levels of the breach to be in the region of £2000 for minor breaches up to £42900 for breaches that have caused bodily or emotional harm. Remember these are only approximate figures. The court will determine the exact amount and there are no hard and fast rules for the figure they may come to.
Initiating a Data Breach Claim
To initiate a data breach claim in the UK, individuals can pursue various routes, including:
- Informal Complaints: Initially, victims can approach the data controller or processor directly to resolve the issue informally. However, if this does not lead to satisfactory results, formal action may be necessary.
- ICO Complaint: Victims can lodge a complaint with the ICO, which will investigate the breach and may impose fines on the responsible party. While the ICO can take enforcement action, it cannot provide compensation to individuals.
- Legal Proceedings: If informal complaints and ICO complaints do not yield the desired outcome, data breach victims can pursue legal action through civil courts to seek compensation. All the UK courts provide advice and guidance on how to do this on their various websites, but as previously stated you are best served going to a legal expert who can guide you from the start.
Time Limit for Data Breach Claims
In the UK, the Data Protection Act 2018 provides a limitation period of six years for individuals to bring a data breach claim before the courts. The time limit typically starts from the date when the victim becomes aware of the breach.
Challenges in Making Data Breach Claims
Data breach claims can be complex, and individuals may face various challenges, including:
- Proving Causation: Establishing a direct link between the data breach and the harm suffered can be difficult, especially for non-financial damages.
- Legal Costs: Pursuing legal action can be expensive, and as a victim, you may be concerned about the costs involved.
- Settlement Negotiations: Some data breach cases may lead to settlement negotiations, and victims should carefully consider the terms and conditions of any proposed settlement. In many cases, these can be long a drawn-out taking years to complete.
Is It Worth Making a Data Breach Claim?
You bet your data it is. If not only to continue to put pressure on organisations to manage other people’s data, more securely. Is it going to alleviate the pain and distress caused by your personally identifiable information being made public? No, but it might just make it less likely for people in the future.
Furthermore, if your data was breached and you were offered a free credit monitoring service — take up the offer to help protect yourself from threat actors using your stolen data for potential theft. Don’t play the odds – reduce them.