Understanding Data Protection: How to Minimise Data Breach Risks and Claims

Data protection legislation in the UK, such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), are crucial for safeguarding personal information and help ensure that organisations handle personal data responsibly and transparently.

The key areas for organisations to focus on as are follows:

1. Legal Principles: Adherence to principles such as fairness, transparency, data minimization, and accuracy when processing personal data.
2. Individual Rights: Enhanced rights, including access to personal data, requesting its deletion, and objecting to its processing.
3. Consent and Sensitive Data: Stricter rules for obtaining consent and handling sensitive data.
4. Data Breach Reporting: Breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours.
5. Fines: Non-compliance can result in significant fines, up to £17.5 million or 4% of annual global turnover.

The Reality of Data Breaches

In the UK there were more than 1.5 million recorded data breaches in 2023, and to date in 2024 there have been 30,458 cyber threat incidents. Figures suggest that 88% of data breaches are caused by human error, and 50% of UK businesses had suffered a cyber-attack.

An email from a retailer to advise that your personal data has been leaked following unauthorised access to their systems; a phishing email from your bank asking you to ‘’verify your details’’; or a link to a website stating you have ‘’won a prize’’.  These are all common occurrences these days, which many of us will have experienced.

There continues to be targeted marketing via various media channel by claimant solicitors and claims management companies with expertise in data breach claims.

Data breaches are not a new phenomenon, and there have been numerous high-profile data breaches over the years involving well-known organisations.

The Legal Landscape

Case law has developed in recent years in favour of defendants and has significantly impacted how these claims are handled:

1. Lloyd v Google LLC (2021): The UK Supreme Court ruled that claimants must prove actual damage or distress resulting from a data breach, rather than claiming for loss of control of personal data alone. This decision has made it more challenging to bring large-scale representative actions for data breaches.
2. Warren v DSG Retail (2021): The High Court limited the scope of claims that can be brought for data breaches, ruling that claims for breach of confidence and misuse of private information cannot be brought for cyber-attacks where the defendant was merely a victim of a third-party hack.
3. Rolfe v Veale Wasbrough Vizards LLP (2021): The High Court dismissed a claim for a minor breach, stating that trivial breaches should not sound in damages.
4. Underwood v (1) Bounty UK Ltd (2) Hampshire Hospitals NHS Trust 9 (2022): the first defendant (“Bounty”) was fined £400,000 by the ICO in 2019 in respect of data harvested from expectant mothers that it sold on to third parties. The claim against the hospital as second defendant was dismissed on the basis that the unlawful conduct was solely by Bounty and there was no breach of data protection legislation by the hospital. This specific case provided guidance on the requisite threshold of seriousness and that not all data, such as a name and date of birth would cross the threshold to justify a damages award.

These cases demonstrate that for a claim to succeed the bar has been raised. Claimants are required to demonstrate genuine harm or financial loss resulting from a breach. These developments have made it more difficult for individuals to bring claims based solely on the fact that their data was compromised, which should lead to a reduction in litigation.

Successful Claims 

Claims are more likely to succeed if they involve:

• • Breaches of sensitive personal information like medical records or financial data, which are considered more serious and can lead to high settlement figures (see TLT v Home Office (2016)).
  • Cases where claimants can provide evidence of significant emotional distress or psychological harm resulting from the breach, especially if supported by medical evidence.
  • Claims where the claimant can prove their personal data was actually accessed or misused by unauthorised third parties, rather than a near miss.
    
    

Legal Reform in Data Breach Claims 

In October 2023, a new ‘intermediary’ banding was introduced to fixed recoverable costs.  Despite this, claimant representatives often seek standard costs, claiming ‘misuse of private information’ even in injury cases.

Key points:

• • The cases of Johnson v Eastlight Community Homes Ltd (2021) and Cleary v Marston Holdings Ltd (2021) established that such claims are suitable for County Court and the Small Claims Track, which in effect markedly diminishes recoverable costs.
  • Claims with nominal value may not result in any awarded costs.
  • Claimant solicitors may chose to issue in the intermediary track for data breach claims, but this area of law remains largely untested.
  • Costs are a significant motivator for solicitors in presenting data breach claims, with costs regularly outweighing the damages their clients recover.

 

What Organisations Can Do

Due to the increase in claims and resultant litigation, should authorities be doing more to protect their systems and prevent human error type incidents?

To protect data and prevent claims, organisations should:

1. Implement robust policies: Establish clear guidelines on data handling and security.
2. Conduct regular assessments: Understand what sensitive data exists and where it’s stored.
3. Limit access: Apply the principle of least privilege, restricting access to sensitive data.
4. Encrypt data: Ensure data is encrypted both at rest and in transit.
5. Perform security audits: Regularly check for and address vulnerabilities.
6. Train employees: Provide regular training on data privacy and security.
7. Use security measures: Employ antivirus software, firewalls, and intrusion detection systems.
8. Have response plans: Establish clear procedures for addressing data breaches.
9. Minimise data collection: Only collect and retain necessary data. 

By focusing on these areas, organisations can enhance their data protection capabilities, reducing the risk of breaches and subsequent claims.

Conclusion 

Understanding data protection legislation and implementing strong security measures can help prevent and/or minimise data breach risks. Organisations that prioritise data protection not only comply with legal requirements and reduce litigation risk, but build trust with their customers, ensuring a safer digital environment for everyone.

Bethany Foster, Senior Claims Technician, Specialist Claims

• Share this article by email