Data breaches are now a near-constant feature of the news cycle. At the end of July, for instance, Amazon made headlines after being issued an astonishing £636m fine for allegedly breaching EU data protection laws – a charge that Amazon vehemently denies. Just one week earlier, Saudi Aramco, the world’s most valuable oil producer, confirmed that data stolen from one of its contractors was being used to extort money from the company in a so-called “ransomware” attack.
These are only the most recent examples. You only need to go back a few months further to find yet another major company in the news for data protection issues. In April it was revealed that 533 million Facebook users had had their phone numbers exposed to hackers. Facebook downplayed the significance of the incident, while data experts argued otherwise.
All of this media attention is not only frightening, but it can also be confusing. The prospect of having your bank details stolen by cybercriminals and used for nefarious ends is certainly a worrying one. But other causes can be harder to follow, both in terms of how the data was stolen and what uses it can be put to by that intent on causing harm.
In this post, we’ll try to answer some of the basic questions you may have about data breaches – first and foremost, “what constitutes a data breach?” After explaining what data breaches are, we’ll look at some of the potential consequences they can lead to. We’ll also explain some steps you can take to protect yourself. Finally, we’ll look at your right to seek compensation if a data breach has negatively impacted you.
What constitutes a data breach?
In simple terms, a data breach has occurred whenever a company or organisation has failed to follow the relevant data protection regulations. In the UK, the main regulations are the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.
These regulations set out stringent requirements for safeguarding personal data that organisations store or process. They mark a substantial strengthening of the UK’s data protection laws and are designed to ensure that you have full control of how your data is used.
This provides the basic answer to the question, “what constitutes a data breach?” However, in order to have a fuller sense of what this means in practice, we’ll need to look a little more closely at the GDPR.
The GDPR’s data protection principles
The GDPR is centred on seven key principles. These are as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles govern the actions that organisations must take or avoid in order to properly protect the data that they store.
The principle of “purpose limitation”, for instance, stresses that any data must only be used for “specified, explicit, and legitimate purposes.” That is to say, a company can only use your data in certain specific and limited ways, and that you must be aware of this usage. “Data minimisation,” meanwhile, means that they should not store any more data than they need for these purposes, and “storage limitation” stresses that data must not be stored longer than necessary.
Any failure to meet these principles constitutes a data breach. As the principles are varied, this means that data breaches can take many forms. Importantly, these do not always match the familiar cliché of shady criminals hacking into databases. For instance, a company that keeps hold of your data after you have stopped using their services may have committed a data breach unless they have some justifiable reason to retain this information. Similarly, a company that has not taken reasonable steps to ensure the data they hold about you is accurate will potentially have committed a breach.
What impact can a data breach have?
Understanding the basics of the UK’s data protection regulations is an important step to keeping yourself safe. If you understand what constitutes a data breach, this can help you spot when a company is failing to meet its data protection obligations. As a result, you can take steps to mitigate the risks you face.
This is particularly significant because the consequences of a data breach can be so devastating. They can include:
- Financial losses
- Identity theft
- Emotional distress
- Reputational damage
- Loss of control
Of course, the potential impact depends to a certain degree on the nature of the breach, both in terms of the kind of information that was exposed and who was able to access it.
For example, if cybercriminals are able to access your bank account details due to an organisation failing to have adequate cybersecurity systems, this can obviously lead to immediate and potentially substantial financial losses.
However, even with limited information, the consequences can be severe. Using just your name and email, for instance, cybercriminals can conduct sophisticated “phishing” attacks by contacting you in the guise of a trusted organisation – for instance, sending an email that purports to be from your employer or your bank. In this way, they can gather further information, potentially of a more sensitive nature.
Finally, failure to meet any of the GDPR principles outlined above can have significant consequences. In a recent case taken up by HNK Solicitors, Essex Police unintentionally sent information about an allegation for which our client had been interviewed to a third party. This failure to ensure the accuracy of the information they retained constituted a significant data breach. This led to substantial emotional distress and embarrassment for our client. Essex Police ultimately agreed to pay £11,500 in damages.
We’ll discuss the process of claiming compensation for a data breach in more detail below. Prior to this, let’s consider some steps you can take to protect yourself if you’ve been a victim – or if you simply have some concerns about how organisations are using your data.
Protecting yourself from data breaches
Unfortunately, it is impossible to be completely safe from data breaches. As soon as you share personal information with a third party, the potential for unauthorised access is there, and it can never be fully eliminated. Human error is unavoidable, and cybercriminals will always seek new and innovative ways to access personal data. After all, the results can be extremely lucrative.
Nevertheless, there are steps you can take to maximise your safety. These are applicable whether you have already suffered a data breach, or you just want to limit your chances of being a victim.
It is an unfortunate fact that most people use extremely weak passwords – that is to say, passwords that are easy for cybercriminals to guess using automated measures. Your middle name, your date of birth, and common words or phrases should all be avoided, as should simple numerical sequences. If you use “1234” or “password” as a password for any of your online accounts, you should change it immediately.
The strongest passwords are those that avoid using words and phrases, incorporate a range of characters, and are relatively long. Essentially, the best password is a long string of random letters, numbers, and symbols.
You should also try to avoid repeating passwords for different accounts. If you do use the same password across multiple accounts, this simply means that, if cyber criminals access your password in one instance, they can then use it to access all your other accounts. This was one of the causes behind the Boots Advantage card hack discussed previously on our blog. If you use different passwords each time, there’s no risk of this.
Of course, having multiple passwords comprised of long sequences of random characters is not practical if you try to remember them yourself. You may be tempted to write them down, but this, of course, has plenty of risks. Using password management software is a safer choice.
Many websites now offer two-factor authentication, commonly shortened to 2FA. This means that, alongside your password, you’ll also need to provide a code that is generated when you try to log on. This will usually be sent to you as a text message or an email.
2FA means that anyone trying to access your account using your password will not be able to do so unless they also have access to your phone or email account. This added element of security can make a huge difference to the safety of your data, and you should utilise it whenever it is available.
Be wary of phishing scams
If your data has been exposed in a data breach, you may not suffer any immediate consequences. For instance, perhaps only your name and phone number or email address were exposed. Cybercriminals cannot do much damage with only this information. But what they can do is use this to try and get more.
As we mentioned above, “phishing” is the process of impersonating a trusted organisation to try and gain sensitive information from you. If you know that a data breach has exposed some of your information, you should be extra wary of such scams. You should double-check the authenticity of any messages you receive pretending to be from some trusted source – your bank, energy company, employer, etc.
The safest option is to never reply directly to these messages or use the contact details they provide. Instead, go directly to the website of the organisation or company in question and use the details you find there.
Claiming compensation for a data breach
Now that you know the answer to the question “what constitutes a data breach?”, you’ll be better placed to assess whether you’ve been affected. You can also take steps to avoid being affected by one in future.
Of course, as we’ve mentioned, you can never be perfectly safe. While the steps above can minimise the risks, a data breach is always a possibility, and the consequences can be severe even if you are careful to protect yourself as far as possible.
That’s why the GDPR also enshrines your right to claim compensation if you have been the victim of a data breach.
In order to claim compensation, you may need to take the organisation responsible for the breach to court. Though this may seem like a major step, it is important to consider it if you have suffered negative impacts from a data breach. Compensation can be an important way to offset any damage caused – and this includes any emotional distress.
After all, the very fact of your personal data being accessed by others, and the anxiety about the potential consequences, can be deeply troubling. It can even have serious mental health implications, especially if the information exposed is sensitive.
HNK can help with your data breach claims
If you are considering making a compensation claim as a result of a data breach, it’s important to get advice and support from expert data breach solicitors. Here at HNK, we have extensive experience in helping data breach victims get the compensation they deserve.
We offer free consultations, so if you have been impacted by a data breach, get in touch to find out how we can help you. We can talk through the details of your case and help you understand whether you may be entitled to compensation. If we think you do have a claim, we can offer to take it up on a no-win, no-fee basis.