The sky’s the limit – compensation for data breaches could take off

We take the security of your data extremely seriously. 

Do you recognise this phrase?

Consumers in general have been receiving an increasing number of letters or emails that include this phrase (or something similar) in recent months.   Chances are the communications have come from businesses that have suffered data security breaches apologising to their customers for the security of their data having been compromised in some way.  Only last week, British Airways Chief Executive announced that the company had suffered a data breach affecting thousands of its customers who had made bookings online.   Shares in IAG, BA’s parent firm, dropped on the announcement, customers have been taking to social media to voice their anger whilst scrambling to cancel payment cards and there is now talk of a £500m group action by disgruntled customers.

There is a very good reason for the significant increase in notifications.  This is because the rules on data breach notification changed significantly on 25 May 2018.  The new rules mean:

  • if a breach is likely to result in a risk to the individuals affected, the data controller must notify the Information Commissioner’s Office without undue delay and, where possible, within 72 hours of becoming aware of a personal data breach.
  • processors (i.e. organisations that process personal data on behalf of controllers) must inform controllers without undue delay on becoming aware of a personal data breach.
  • those poor individuals affected must be told by the controller without undue delay where the breach is likely to result in a high risk to them.

These new obligations require businesses to be much more proactive when dealing with, and responding to, personal data breaches.  Even allowing for the potential significant harm to a business’s reputation (and share price), the potential financial ramifications for getting things wrong are very severe.  The ICO can now apply fines up to the greater of 20 million euros or 4% of a business’s total worldwide annual turnover.  Individuals also have the right to seek compensation for damage suffered and group actions are likely to become increasingly common.

There are also important compliance obligations to bear in mind when handling the fall-out from a data breach.  For example, when informing the ICO, affected businesses must provide the ICO with certain minimum information.  They must also maintain a record of all personal data breaches.   As well as ensuring communications to individuals describe the nature of the breach in clear and plain language, such notices must also include minimum information.

Are you prepared?

As a business, ask yourself if you are prepared for managing the fall-out from a data protection breach?

  • Do your staff know how to escalate a security incident within your organisation?
  • Will your staff recognise a personal data breach?
  • Do you have a data breach response plan in place?
  • Who will decide whether the personal data breach should be reported and, if so, to whom?
  • Which individuals have responsibility for managing breaches?
  • How would you cope with a flood of claims or a group action for compensation?
  • Do you know what information the ICO requires?
  • Do you know what affected individuals have to be told?
  • Do you log all security incidents?
  • Do your contracts with your service providers deal with what should happen in the event of an incident?

Our team of data protection experts have significant experience of advising organisations on preparing data breach response plans and managing and responding to personal data breaches.

Latest updates from @MacRoberts