Data breach compensation and claims
Data breaches can have serious financial and emotional impacts
All organisations that hold personal information about individuals have a responsibility to keep this information safe.
If the organisation discloses this information to someone else without the person’s permission this is known as a data breach.
Our current data breach claims
Data breach by Stor-a-File affecting Lister Fertility Clinic, Marie Stopes and British Pregnancy Advisory Service
Leading data breach lawyers say that this month’s announcement by Stor-a-File, the document management firm, that data it held electronically for 13 organisations, had been hacked is likely to lead to substantial claims for compensation by those affected.
MoD Afghan interpreter data breach claim
Contact our data breach team today to start your claim
Transform Hospital Group data breach
Transform Hospital Group has confirmed that they had suffered a data security incident in which “an unauthorised third party” accessed elements of their IT system on 6th December 2020
easyJet data breach 2020
Find out more about the easyJet data breach and how you can join the claim.
Contact us today
Call us on
Data breaches can occur
- If someone from the organisation deliberately shares confidential information with others without the person’s knowledge
- When a successful cyber-attack or hack leads to a criminal gaining unauthorised access to the information. This is usually due to organisation’s failing to have adequate security measures in place to prevent the attack.
What the directories say
Sean Humber is instructed by clients seeking advice on data breaches involving sensitive personal data. He represents individual claimants as well as companies. "He's very responsive, professional, innovative and looks for solutions for his clients." "He's a great strategic thinker and lawyer."
Chambers and partners 2022
Each year, the Information Commissioner’s Office (I.C.O.), the UK's independent body set up to uphold information rights, issues fines totalling many millions of pounds against organisations for failing to keep people’s personal information safe.
While some breaches affect only one person, other data protection breaches may affect millions of people and can make the national news. Some recent high-profile examples include:
- Over nine million EasyJet customers had their personal details hacked as a result of a cyber-attack;
- Over 100 TalkTalk customers had their personal information hacked in a series of data breaches suffered by TalkTalk in 2014 and 2015;
- Over three million mobile phone customers’ personal details were hacked as a result of a successful cyber-attack of Carphone Warehouse’s IT system in 2015.
If a cyber-attack or hack has compromised your personal data, you may be entitled to data breach compensation. This can cover the loss of control over this information together with any anxiety and distress suffered and any financial losses incurred.
More information about data breaches and information rights
A data breach happens when unauthorised people access private information, or it is released into an uncontrolled environment (such as online).
Data protection breach examples include:
- The names and home addresses of customers appearing on a public website;
- Bank details (including account number and sort code) being stolen in a cyber-attack and then used for fraud or identity theft;
- Names of those signed up to sensitive websites, like dating sites, being disclosed;
- A letter containing somebody’s medical details being sent to the wrong postal or email address;
- Somebody’s personal details being included in a group email.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 are the main laws that strictly control how your personal information can used by organisations, businesses or the government.
There are many different types of data breach. Some can be deliberate. For example, a disgruntled member of staff at a company can leak personal information to others without the individual’s knowledge or consent.
In other cases, the breach can happen unintentionally. For example, a business may suffer a successful cyber-attack of its customers’ personal information as a result of inadequate security, or a Hospital may send a letter containing confidential medical information to the wrong address.
The loss of personal information as a result of a data breach can have a significant emotional and financial impact on the victim. The loss can cause anxiety and distress due to concerns at how the personal information could now be used. It can also cause considerable inconvenience in the victim now needing to urgently take steps to try and minimise the risks posed by the breach. In some cases, especially where financial information is stolen in a breach, it can lead to fraud, identity theft and loss of money. For all of these reasons, victims should apply for data breach compensation.
Three important examples of serious data breaches are:
- EasyJet: In one of the UK’s largest ever data breaches, EasyJet announced in May 2020 that the personal details of over nine million customers has been hacked as a result of a cyber-attack.
- Carphone Warehouse: Over three million mobile phone customers’ personal details were hacked as a result of a successful cyber-attack of Carphone Warehouse’s IT system in 2015. The firm were fined £400,000 by the I.C.O. for the breach.
- TalkTalk: Over a hundred TalkTalk customers had their personal information hacked in a series of data breaches suffered by TalkTalk in 2014 and 2015.
Organisations often hold a huge amount of data about their customers - from confidential information such as names and addresses to financial data like credit card and bank details.
Under the GDPR, a company is obligated to inform both you and the I.C.O. without delay if there is a serious data breach affecting your personal information. They should explain:
- The likely consequences of the data breach
- Measures taken or in place to tackle the breach and any adverse effects
- Who their data protection officer is and their contact details
If you think your personal data may have been disclosed as a result of a data breach but have not been informed by the organisation from whom information was taken, contact them directly. They should then tell you whether your personal data has been disclosed as a result of a data breach.
Contact Leigh Day if you believe a breach has involved your personal data, but the company in question have not notified you. Our data breach solicitors can investigate your concerns and assess whether you have a viable claim for compensation.
Get in touch with our specialist data protection solicitors to start your compensation claim for financial loss and/or emotional distress caused by a data breach.
- Call 020 8038 9412 for a free initial consultation
- Email firstname.lastname@example.org and someone will respond soon
One of our specialist data protection, privacy and information law experts will listen to your case. If we believe you have a claim, the first step may be to complain directly to the company responsible. This can be the quickest way to settle a data breach claim, should the organisation accept they were at fault.
Reporting the data breach to the I.C.O.
If you have been a victim of a data breach, you may also wish to complain to the I.C.O. who, as the UK's independent body set up to uphold the public’s information rights, are able to investigate the matter and fine the organisation . They can’t award compensation to those affected, but their actions, including any reports they produce as part of their investigations and findings that the organisation has not complied with the law, may help support your case.
The amount of compensation you’ll receive if you’re the victim of a data breach depends on the exact circumstances relating to the breach, including:
- Sensitivity of the data stolen;
- How many people accessed your data;
- Length of time between the breach occurring and being informed;
- How long unauthorised access to the data was / is available;
- Anxiety and emotional distress encountered;
- Any financial losses experienced.
You could receive compensation for the loss of control over the information even if you suffered no financial loss. . As stated above, the I.C.O. can issue fines to organisations for breaching the GDPR and / or Data Protection Act 2018. However, the fines are distinct from any that can be claimed by victims of data breaches. Their findings that an organisation has not complied with the law, usually after a lengthy investigation, can be helpful in support of a claim for compensation too.
Information law is becoming an increasingly important part of a citizen’s rights which has recently been brought into the public eye in the cases involving MPs expenses and the Cabinet documents relating to the Iraq war.
We act for individuals in relation in requests for personal information, made under the Data Protection Act, held in relation to them by bodies.
We also act for individuals and campaigning groups in relation to requests for official information, made under the Freedom of Information Act and / or the Environmental Information Regulations, held by public authorities.
In addition, we act in judicial review challenges, complaints to the Information Commissioner and appeals to the Information Commissioner in relation to the inappropriate refusal of these bodies to release the information requested.
We also act for individuals in cases where bodies have inappropriately released personal information without the person’s consent to third parties (so-called breach of confidence cases).
Examples of recent successes include:
- Acting for Haemolytic Uraemic Syndrome Help (HUSH), an E. coli 0157 food poisoning charity, in relation to the Food Standards Agency’s refusal to release information and failure to consult with regard to proposed changes to guidance on the time and temperature needed for the safe cooking of burgers;
- Acting for an individual in a successful claim for compensation for breach of confidence against an NHS Trust in relation to the unauthorised disclosure of extremely sensitive confidential medical information, without her knowledge or permission, to the person’s family causing permanent estrangement from family and psychiatric injury.
- Acting for Campaign Against Arms Trade in an appeal to the Information Tribunal following the MOD’s refusal to disclose copies of the underlying contractual documents from the Al Yamamah arms deal with Saudi Arabia in the 1980s. We successfully secured the appointment of a Special Advocate to represent the client in the closed parts of the hearing.
Contact us today
Call us on
Data breach FAQs
Breaching the law can result in a fine for the organisation responsible. The amount depends on the circumstances of the case, up to a maximum of €20 million or 4% of total annual worldwide turnover in the preceding financial year (whichever is higher).
Organisations must report a data breach to the I.C.O., as the relevant authority, without undue delay and no later than 72 hours after being made aware of it. Any longer than this and they must give reasons for the delay. The organisation is also obligated to tell its affected customers without undue delay when there is a data breach affecting their personal information. Often, when an organisation contacts somebody affected by the data breach, it will also say that it has reported the matter to the I.C.O.
Why choose Leigh Day?
Our human rights department has more than 20 years’ experience working across the field of data protection and privacy.
With the constant updates to how individuals and businesses use personal information and data, we keep on top of changes to information and data protection law to best advise our clients. We have brought successful compensation claims in cases where others wrongly accessed clients’ personal, medical and financial information.
Partner Sean Humber has a vast level of experience in privacy, data breach and information law. He has achieved settlements across cases when confidential information was disclosed deliberately and accidentally without a person’s consent or knowledge. Claims against a range of companies, the police, local authorities and the NHS.
Partner Gene Matthews has almost 20 years of experience bringing group claims (multiple party actions) on behalf clients against multi-national companies and actions against the Government.