.webp)
Today, we're required to disclose our data to a wide range of organisations, from shopping online to carrying out banking transactions or booking a doctor's appointment. We trust that these organisations will take proper care of our data, but what happens when that trust is broken?
Data breaches can have a significant impact on the individuals affected, ranging from financial loss to stress and anxiety. But if you've had your data exposed in a breach, it's important to remember that there are legal steps you can take to protect your rights.
What counts as "personal data" in a breach?
Personal data is defined as any data which can directly or indirectly identify a person. Data breaches can expose many different types of personal data, and each carries its own level of risk or potential harm.
Identity data
This includes basic information about you, such as your full name, your date of birth and your home address. If exposed, this information could be used to fraudulently open accounts or apply for credit in your name.
Financial data
If a data breach exposes bank account details or credit card numbers, then there is a high risk of financial theft. In some cases, victims may not notice the loss immediately, and repeated thefts can occur over time.
Sensitive personal data
This is a special category of information that includes your health records, ethnicity, political opinions, or sexual orientation. Exposing it can cause distress, embarrassment, and reputational damage.
Contact information
Even basic contact information, such as your email address (especially if passwords are also exposed), can be used to attempt to log in to your online accounts or as a way to scam your friends and colleagues.
What are the hidden costs of a data breach?
As well as the direct financial costs of a data breach, for example if your credit card information was stolen and criminals have used it to purchase goods at your expense, there is also what the law refers to as "non-material damage".
This could include the hours spent on calls to your bank to cancel cards or secure your accounts. It could be the stress of having to change passwords and monitor credit reports. Or it could be the distress or anxiety at the thought that your private medical information has been publicly shared.
The good news is that the law recognises these additional factors as part of the harm that can be caused by a data breach, and they are all valid grounds for compensation.
How can I claim compensation for a data breach?
If your data has been exposed due to an organisation failing in its duties under GDPR, you have the right to claim compensation. Although the Information Commissioner's Office (ICO) has the power to investigate and fine organisations for breaches, it does not handle individual claims for loss or damage. You will have to pursue this yourself. The first step is to formally notify the relevant organisation of your claim. You should clearly outline:
- The details of the breach
- The data that has been exposed
- The impact that the breach has had on you, both materially (e.g. direct financial loss) and non-materially (e.g. anxiety, stress, reputational damage)
Many claims are settled at this stage. However, if the organisation refuses to offer fair compensation, the next step may be to issue court proceedings. Complex Law can support you through the entire process, from drafting a formal notification to representing you in court if necessary. Learn more about our Data Breach services or speak to one of our solicitors to discuss how we can assist you in making a claim.
Frequently asked questions
What is the time limit for making a data breach claim?
In most cases, the time limit is six years from the date that you first became aware that the breach had occurred. There are exceptions, though. For example, for claims against public bodies, the time limit may be as short as twelve months. It's therefore always advisable to seek legal advice as soon as you find out your data has been exposed in a breach, to make sure you don't miss an important deadline.
How is compensation for 'distress' calculated?
There are no hard-and-fast rules or fixed amounts. Compensation for non-material damage is assessed on a case-by-case basis. A court will consider several factors, including the type of data breached (e.g., medical data vs. an email address), the length of time you have suffered distress, the severity of the impact on your mental well-being, and any medical evidence you can provide.
The company offered me a free credit monitoring service. Should I accept it?
Yes, it's a sensible step to help protect yourself from ongoing fraud following a breach which exposed your financial data. Accepting such an offer doesn't affect your right to claim for financial loss or distress. If the courts find that the harm caused to you by the breach outweighs the benefit of the free monitoring service, you may be able to claim additional compensation.
The breach was caused by a cyber-attack. Is the company still liable?
Yes, they may still be liable for the breach. Under UK law, specifically the UK General Data Protection Regulation (UK GDPR), organisations that handle personal data have a duty to implement "appropriate technical and organisational measures". If they have failed to do so, for example they have not updated their security software, or their staff have not followed the correct processes or received sufficient training, then they could be held responsible for the breach, even if the cause was a criminal hack.
.svg)
