Data breaches are becoming increasingly frequent. It’s tough to go a day without news of another data breach or cybersecurity incident hitting the headlines. At the same time, it’s also common for other incidents, like fraud, to be miscategorised as data breaches.
So what exactly is a data breach?
What is a data breach?
While data breaches come in many shapes and forms, we’re looking specifically at data breaches that affect you as an individual. Such data breaches are different from those that might impact businesses but not their customers or users, like recent incidents involving Vodafone and Samsung.
So what is a personal data breach?
When talking about data breaches that affect you individually, these are events, including security breaches, that, without your permission, lead to your data being:
- Accidentally or unlawfully disposed of or destroyed
Such data breaches can be accidental, due to negligence, or due to malicious acts on the part of a data processor or third party.
The Information Commissioner’s Office (ICO) broadly defines a data breach as a “security incident that affects the confidentiality, integrity or availability of personal data.”
6 examples of personal data breaches
The following examples are all personal data breaches:
- Your details on the Police National Computer are accessed by an employee who doesn’t have permission or clearance to do so.
- A data protection officer at a company or another organisation fails to delete your data despite you requesting they do so.
- Files containing your personal information are accidentally sent to others, disclosing potentially sensitive data about you and your circumstances.
- An employee working from home has their laptop stolen, which contains your personal details relating to casework the employee was undertaking on your behalf.
- Someone changes your personal data without your permission. Such an incident can be anything from changing your contact details to updating whether you want to be contacted or be part of a mailing list.
- A company loses your personal data and cannot disclose what information it holds about you.
When should a company tell you that you’re involved in a breach?
You might be surprised to learn that businesses and other organisations aren’t, by default, obliged to tell you if your data has been involved in a breach. In fact, these entities don’t have to tell the ICO or anyone at all unless a breach meets certain conditions and thresholds.
The ICO says that organisations should inform you of a data breach as soon as possible if the incident is “likely to result in a high risk to the rights and freedoms of individuals.”
Unfortunately, what a “high risk” looks like is left open for interpretation. So, the same data breach could happen at different organisations, but if one decides you’re at risk and the other doesn’t, you may only ever learn about one of them. The reality is that most people subject to data breaches never know about it. Many may only become aware if they notice a sudden increase in fraudulent attempts to sign in to their online accounts or an uplift in phishing emails. Unfortunately, many people will become aware in the first instance when they learn about a data breach on the news.
That said, one of the primary reasons for an organisation to tell you you’ve been involved in a breach is to give you the best chance possible of protecting yourself. For example, if your credit card details or password for online banking are exposed, the sooner you know about it, the quicker you can secure accounts and mitigate risks.
If organisations suffer a data breach that they must report to the ICO and decide not to inform you of the breach, they must keep a record of their decision-making process. The ICO also has the power to tell organisations that they must tell you about a data breach if they feel the circumstances warrant such a step.
What information must businesses tell you when notifying a data breach?
If your personal details are involved in a data breach, and the risk is such that the organisation involved needs to notify you, they should tell you:
- The nature of the data breach, including how it occurred and what data was involved
- Contact details for their data protection officer or any other person or department who can provide further information should you want to get in touch
- Potential or likely consequences of the data breach
- What actions they have already taken or will take to deal with the data breach
- What steps they have taken or will take to mitigate the potential consequences of the data breach
The ICO tells organisations to give “specific and clear advice.” As such, if your personal details are involved in a data breach, you should finish reading any notification of this with a clear set of actions of what to do next.
Organisations may also:
- Force a password reset for your account – if a business doesn’t notify you of a data breach but they force you to update your password, then the chances are this is what has happened
- Tell you to use strong and unique passwords, or use a tool like a password manager
- Advise you to look out for things like phishing emails or fraud alerts on your credit report
What can you do if you suspect your personal details have been involved in a data breach?
The first thing you should do is take action to protect yourself. What this looks like will depend on what you believe has happened. For example, you might decide to change your password for an online account or enable multi-factor authentication for a particular platform. Alternatively, you might decide you need to cancel a credit card or delete an account entirely. Longer-term, you may choose not to shop somewhere or be more mindful of what data you share and with whom you share it.
Who can I complain to about a data breach?
You can complain to the company you suspect to have been guilty of or involved in a data breach and to the ICO.
In both instances, your communication should outline the nature of your complaint and how the alleged incident has impacted you.
How do I claim data breach compensation?
You won’t be able to claim compensation for every data breach. Typically, only severe data breaches that lead to the ICO dishing out significant fines lead to successful compensation claims. For example, being sent an email from a mailing list you never signed up to is, strictly speaking, a data breach. But it’s difficult to argue this impacted you any more than being a mild inconvenience. In contrast, you might have a stronger case if a company disclosed your email address and other personal details to everyone else on that mailing list.
The truth is that every data breach case is different.
If the ICO is investigating a specific data breach incident, LawPlus Solicitors will wait for the outcome of that investigation before opening any claims. Awaiting the result of an ICO investigation means it’s easier to gather evidence for a claim, and organisations will often admit they’re at fault.
If you’ve been affected by a data breach, contact us here for a free, no-obligation review of your case and potential claim.