Personal data is increasingly valuable in today’s digital world. Your personal data and sensitive information is entrusted to organisations such as banks, financial institutions, law firms, governmental departments and medical practices.
There has been limited UK case law on negligence claims for data breaches, primarily because it is difficult to prove foreseeability, causation and loss. However, with cyber criminals becoming more sophisticated in hacking personal data and being able to extract this information for fraudulent gain (i.e. through identity theft, stolen bank details), it is more likely that an organisation may be negligent in failing to take steps to prevent such attacks.
Given that it has been reported that negligence among staff regarding cybersecurity is the greatest risk to leaking data to unauthorised parties with 66% of data breaches down to employee negligence or malicious acts, claims for breaches of personal data will be on the rise. If your personal data and/or confidential information relating to you or your company has been entrusted to a third party, who has provided inadequate protections for this data, which is subsequently the target of a cyberattack, then you may have a claim for negligence.
What is personal data?
Personal data is information relating to an individual. For example, the name, address, telephone number, National Insurance number, IP address and biometrics (photographs, blood sample, DNA, fingerprints).
What are data breach claims?
A data breach claim can arise where negligent business processes, cybercrime or human error have resulted in financial loss or identity theft. For example, where: data has been inadvertently lost; identity has been stolen to obtain credit cards fraudulently; personal data sent to a third party (such as an insurer) without your consent; personal information has been mis-used or a company’s data leaked (for example bank details or business plans).
Human error is one of the leading factors giving rise to cyber security risks. Human error is an avoidable factor regarding cyber security, and business owners should take precautions to prevent the likelihood of a security breach by deploying security controls such as preventing employees from emailing documents to personal accounts or copying them on to a USB or file-sharing website. If adequate protections are not in place as a data holder, then you may have a claim in negligence against them if your personal data subsequently gets hacked by cyber criminals.
If this duty is breached and for example your personal data is hacked, then you may have a claim against the company entrusted with your personal data.
What is the UK legislation regarding personal data?
- Data Protection Act 1998: establishes how personal information can be used.
- Computer Misuse Act 1990: discourages the use of computers for illegal purposes eg fraud and making changes to stored data without permission eg installing malware.
- Malicious Communications Act 1988.
- Copyright, Designs and Patents Act 1988: gives control to creators of content the right to control how it is used.
- General Data Protection Regulation (GDPR).
How do I make a data breach claim?
If you have suffered financial losses as a result of a data breach, for example, as a result cybercriminals apply for credit in your name then there are different methods to achieving compensation.
The Information Commissioner’s Office (ICO) has the power to impose fines for organisations that fail to meet GDPR/Data Protection Act standards. A complaint can be made to the ICO directly.
However, companies liable for data breaches are more likely to settle the case if their professional indemnity insurers are notified of a professional neglgience dispute. Commencing litigation in the High Court for a company falling below the standard of care and not safeguarding data, is more likely to lead to optimal settlement.
Data Breach Case signals start of cyber negligence claims in the US
Private rights of tortious action are on the rise in the USA, with courts recently more willing to find that consumers have the right to sue companies and organisations on the basis that their personal information has not been adequately protected.
At the start of this year, the U.S. District Court for the Northern District of Georgia held in a class action suit that Equifax owed a duty of care to protect consumers’ information from a data breach. The company was at the centre of a huge security breach in 2017 when over 100 million people had their sensitive information compromised (such as social security numbers, credit card information, addresses and birth dates).
The judge rejected the Defendant’s submission that there was not a sufficiently alleged injury and in particular:
“The Court finds that [a precedent] supports the conclusion that the Defendants owed a legal duty to take reasonable measures to prevent a reasonably foreseeable risk of harm due to a data breach incident”Judge Thomas W. Thrash, Jr
This case has been subsequently settled out of court for almost $800 million USD, but demonstrates a growing judicial trend to accept the principle that it is negligent to not safeguard personal data and that subsequent data is mined in a cyber attack.
What are the examples of negligence leading to a cyberattack?
Skill-based behaviour – This is when an employee at the data holder may have slips or lapses which could occur in tasks that are very familiar. These often occur when people get distracted in tasks that are very familiar.
Knowledge-based mistakes – These occur from a trial and error process in which the individual may have insufficient knowledge on how to perform a task which therefore may lead to the task being accrued out incorrectly.
Rule-based mistakes – These happen when an employee at the data holder may choose not to follow a particular rule which therefore creates unexpected outcomes such as data leaks.
What are common examples of negligence in relation to cyber security?
This occurs when an email containing malicious content is sent disguised as a trusted source. The aim of this attack is to gain private or confidential data. In 2018 the Verizon Data Breach Report revealed that 96% of the time emails are used to attempt to breach security.
In 2018 Wombat Security’s User Risk Report suggested that over 60% of respondent’s reused passwords across various online platforms, this created the risk of all platforms to be compromised if a breach of security were to happen. Other human errors that featured regarding passwords were sharing passwords with others and saving passwords on computers.
Incorrect Management of Privileged User Accounts
Often high privilege accounts are protected with inadequate security with security controls rarely being updated, this makes admin accounts easy targets.
Unauthorised Users Having Access to Corporate Devices
The 2018 Wombat Security Report also suggested that 55% of professionals gave unauthorised users, such as friends and family, access to devices issued by their employer allowing them access to possibly sensitive information.
Misdelivery occurs when information is sent to the wrong recipient. An example of this can be seen in the healthcare industry where Employees have sent emails containing Protected Health Information to the wrong patient.
Instruct us to bring your negligence claim
Often cases against professionals are hard fought with complex arguments as most professionals (such as barristers and solicitors firms as in this case) have professional indemnity insurers who will instruct City of London law firms to defend the litigation. To ensure equality of arms, claimants should instruct experts like us with a proven record of success in bringing complex legal claims to trial and settling disputes to the satisfaction of our clients.
Book an Initial Consultation
If you have a potential claim against a professional get in touch with us so we can assess the legal merits of your case. We often take on such claims on a no win no fee basis once we have advised you on the merits of the proposed professional negligence action.
Our expert legal team of leading Professional Negligence Solicitors & Barristers are available to provide urgent help, advice or representation. Just call our London Professional Negligence Lawyers on ☎ 02071830529 or fill out our case assessment form.
Specialist Cyber Security Negligence Solicitors
We are a specialist City of London law firm made up of Solicitors & Barristers operating from the only law firm based in the Middle Temple Inn of Court adjacent to the Royal Courts of Justice. Our team have expertise in advising on claims for compensation against professionals that have fallen below the standard expected, which causes clients financial or personal loss. We are experienced in bringing successful claims against negligent solicitors, barristers, financial advisers, surveyors, valuers, architects, tax advisers and IFAs.
LIMITATION ACT 1980 – WARNING
The Limitation Act 1980 sets out strict statutory deadlines within which you must bring litigation claims. Your legal rights will become irreversibly time-barred if you fail to take legal action (or defend a claim on time). Therefore, you should seek specific legal advice about your legal dispute at the very first opportunity so that you understand the time you have left. Failure to take advice or delay in taking action can be fatal to your prospects of success.