Often there are time we must give out our personal data, such as when starting a new job. When we do so, we trust that the organisation we are supplying this data to keeps it safe and handles it properly. Companies have a legal obligation to store your personal data safely, ensure it is kept up to date and accurate and protect it from any potential breaches.
In April 2021, a client came to HNK Solicitors looking for help to pursue a data protection claim against their former employer after the company had suffered a ransomware attack that led to the Claimant’s personal data being exposed. We fought on behalf of the Claimant on a no-win, no-fee basis to ensure they got the compensation they deserved for the distress caused.
The Claimant in this case was a former employee of the Defendant. After leaving the business, the Claimant received an email from the Defendant informing them that the Defendant had experienced a ransomware attack in which an unauthorised third party had accessed their systems. The Defendant later confirmed that the cyber-criminals had already published some of the personal data to the internet.
The personal data of the Claimant that was exposed included their health screening data, payroll data (including National Insurance number), pension information and new starter information, including documentation used for identification purposes.
The law surrounding data breaches
The law is clear surrounding breaches of information. The Data Protection Act 2018 and UK General Protection Regulation (UK GDPR) both impose extensive and detailed requirements on organisations that store or process personal data. Anyone who holds your personal details must legally keep it stored safely and protect it effectively from potential breaches.
One part of those extensive and detailed requirements is an obligation to ensure that personal data is processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by using appropriate technical or organisational measures.
A breach of this obligation, as well as any other data protection obligations, entitles those affected to claim compensation for the distress and inconvenience suffered as a direct result of the data breach. In this case, it was a clear breach of data protection, so the Claimant sought out help from HNK in order to obtain compensation.
The data breach claim
The Claimant approached HNK Solicitors in April 2021 and instructed us to act on their behalf in this matter. We accepted instructions on a no-win, no-fee basis. Our data breach protection solicitors claimed damages on behalf of the Claimant for breaches of legal obligations under the Data Protection Act 2018, the UK GDPR, a breach of contract, a breach of confidence and misuse of private information.
A letter of claim was served to the Defendant. In response to this, the Defendant denied that there had been any breach of their data protection obligations because they were the subject of a ransomware attack. The Defendant believed the security they had in place to protect the Claimant’s data was sufficient and there is nothing more they could have done. The Defendant also denied that the incident would have caused any distress that could result in compensation.
The Defendant also provided limited disclosure, confirming the personal data that was exposed.
Dan Higham, data breach solicitor at HNK Solicitors and the case handler, reviewed the response provided by the Defendant and advised the Claimant to challenge their denial of liability and to put forward the following submissions:
- Whilst the Defendant may have security in place to protect the Claimant’s personal data, that security was not sufficient to prevent any such ransomware attack.
- The Defendant should disclose the details of the security measures in place in support of their denial of liability.
- The personal data exposed was significant, special category data, which included the Claimant’s medical data, passport, birth certificate and bank details.
- The failure to protect the Claimant’s personal data amounts to a breach of the Data Protection Act 2018 and the UK General Data Protection regulation.
- The personal data exposed is private and confidential, and the Defendant’s failure to ensure the same amounts to a breach of confidence and a misuse of private information.
- The Defendant failed to ensure the appropriate security of the Claimant’s personal data.
The Defendant, in response to the submissions, made the Claimant a settlement offer. However, the offer was not reasonable given the nature of the personal data exposed. Dan Higham advised the Claimant to make a realistic counteroffer.
Negotiations continued between the parties, however, following a recent Supreme Court Judgment the position on obtaining compensation for a loss of control of personal data changed. This Judgment, as well as a change in the position on the Claimant’s ability for pursing a claim for misuse of private information, led to the Defendant withdrawing from settlement negotiations.
Dan Higham assessed the situation and the Claimant’s options to proceed and advised the Claimant to apply to the Court to force the Defendant to provide the details of the security measures in place at the time of the ransomware attack. This information would allow the Claimant to assess if the measures in place where appropriate to protect their personal data.
The Defendant did not want to disclose this information to the Claimant and did not want to risk losing the application to the Court. As such, the Defendant started to engage in settlement discussions once more.
The outcome of the claim
Negotiations took place between the parties and the claim settled for over £10,000.00 in full and final settlement of the claim and the application to the Court, the figure covering both the Claimant’s compensation and legal costs.
HNK Solicitors can help with your data breach claim
If your personal data has been exposed, lost or insecurely held, contact our Data Protection department to see if we can assist with obtaining compensation on your behalf. We are experts in the field of data breach claims, and we will fight to ensure you get the compensation you deserve. Get in touch with our team today via the form on our contact page or by emailing firstname.lastname@example.org.