data breach

When should I be told my data has been involved in a breach?

You might think the answer to this question would be “every time it happens and as soon as possible afterwards.”

And it’s understandable that you’d think that way. After all, if your personal data is viewed, accessed, altered, deleted, or used in any other way without your permission, you would think you have a right to know.

But that isn’t always the case.

When should I be told my data has been involved in a breach?

Whether you’ll be told when your data is involved in a breach depends on how the business or organisation that has suffered the breach interprets the Information Commissioner’s Office’s (ICO) guidelines.

The ICO says that businesses or organisations must inform you if a breach is “likely to result in a high risk to the rights and freedoms of individuals.” While it’s up to the business or organisation that has suffered the data breach to decide whether you need to be told, the ICO does have the power to order these entities to notify you if they don’t plan on doing so, and the ICO believes you are potentially at risk.

How do businesses decide if I’m at high risk due to a data breach?

If a business suffers a data breach, it must decide whether it should notify you by assessing “both the severity of the potential or actual impact on individuals…and the likelihood of this occurring.”

So, for example, say a business suffers a data breach by accidentally giving access to files containing your personal details to an internal department that shouldn’t be able to see this data. Upon realising what has happened, the business immediately revokes access and securely deletes any information from employees’ systems where your automated cloud software had already downloaded the data. This is unlikely to “result in a high risk” to your rights and freedoms, so it’s doubtful the business involved would tell you about this.

In contrast, say a business suffers a data breach due to a ransomware attack from a cybercrime group. If sensitive information like your name, address, credit card details, account email address and password is accessed, you would potentially be at a high risk of being a victim of identity fraud. As such, you would expect to be informed by the business or organisation in question in this instance.

What should businesses tell me when informing me of a data breach?

In the event of a data breach where a business or organisation needs to inform you, the ICO says they should provide at least:

  • Contact details for their data protection officer or any other individual or department you can contact should you want to ask questions or get further information
  • The potential consequences of the data breach
  • What they’ve done or plan to do to deal with the data breach itself, and what they’ve done or plan to do to mitigate the potential circumstances

What should I do if my data has been involved in a breach?

The business or organisation that has suffered the breach leading to your data being compromised should give you advice on what you should do. For example, if the data breach has seen your login details compromised, the business involved may force a password reset and advise you to change any passwords for websites where you’re using the same credentials.

Depending on the nature of the data breach and the information involved, you may also receive guidance about being alert to phishing emails or other scams.

What if a business doesn’t tell me my data has been compromised?

Depending on the nature of the breach, you might never know!

There are some tell-tale signs to look out for, though. For example, a business that randomly asks you to update your password could be doing so because they’ve suffered a data breach. The breach might not be so severe that they need to tell you about it per the ICO’s guidance, but they might still get you to take action that would suggest a breach has occurred.

At the same time, some businesses might automate password resets periodically. Still, they’ll usually tell you about this policy rather than just contacting you out of the blue to update your credentials!

You can also complain to the ICO about a data breach if you feel a business or another organisation has compromised your data.

Can I claim compensation if I’ve been affected by a data breach?

It depends on the circumstances.

While being added to an email list you didn’t subscribe to is technically a data breach, it’s unlikely to have such an impact on your life that compensation would be due.

In contrast, if a business was negligent with its security practices and it led to your sensitive data being stolen and you falling victim to fraud, you would have a stronger case for claiming compensation.

Contact LawPlus Solicitors for a free, no-obligation review of your potential data breach claim.


Get in Touch

Fill in the form below to tell us your details, and we’ll get started.