EOL IT Services has now merged with tier1 Asset Management Ltd

Can Individuals Claim Compensation from Your Business after a Data Breach?

by | Jul 28, 2015 | IT Security

Unfortunately, there are more data breaches within businesses than desirable. Often, these data breaches will result simply with a lesson learned, rather than any legal action being taken. However, it is important to always be prepared for the possibility of customers involved in the breach taking legal action against you.

Are they within their rights to do so, and will an individual have the ability to claim compensation from your business after a data breach?

This issue was seen recently with Google, after individuals claimed that the company breached the data protection law. The three individuals involved in this Vidal-Hall v Google case asserted that Google had been collecting private information about how they used the internet through the Safari browser on Apple devices. The company had allegedly stored this information without their knowledge or agreement and had gone on to use this data as a part of its marketing offer to advertisers.

The claimants didn’t seek damages for loss of money, but did want compensation for the worry and distress caused by the data breach.

According to section 13 of the UK Data Protection Act 1998, it is indicated that proof of actual monetary loss is required in order to successfully gain compensation. However, in this case, the UK Court of Appeal decided that there was good enough reason for the victims to claim damages and that, in spite of the UK DPA, proof of such measurable loss was not necessary for the claimants to receive their compensation.

The particular section of the Data Protection Act suggests, in broad terms, that if someone suffers damage as a result of a data breach, they are entitled to such compensation. Whilst this doesn’t exactly state that this damage is of a measurable value, it is what is indicated. The act does state that compensation for distress is payable in certain circumstances.

However, these ‘certain circumstances’ are not specified, suggesting that it is up to individual judges to make an informed decision based on the case they are dealing with at the time and other legal information available to them.

It should be said that the judge did not base this decision solely on personal opinion; section 23 of the EU directive was consulted, in which there was evidence to support the victims’ claims. The directive advises that EU Member States must ensure that anyone who suffers damages because of a data breach should receive compensation for these damages.

The Court of Appeal concluded that, in this context, ‘damages’ should include both material (i.e. monetary) and non-material (i.e. emotional) damage.

Of course, this decision was based on preliminary information, and the final judgement could have been different to these initial decisions. However, the fact that the judge was able to use other legal material to interpret the DPA differently the most basic reading of the document means that the case certainly proves a point: even when you think you are ‘safe’, you may not be.

Businesses should focus heavily on protecting any data, both new and old, in order that they comply with the UK DPA. Now there is even more of an incentive to avoid having to  compensate any individuals affected in such a breach.

The correct procedures for IT asset disposal will play a major part in protecting against these types of loss.


Recent Stories

Does AI Fight or Facilitate Cybercrime?

Does AI Fight or Facilitate Cybercrime?

Despite the splash made by ChatGPT at the end of 2022, Artificial Intelligence and Machine Learning have been part of our daily lives for some time. We use smart home devices, chatbots, voice assistants, and Netflix recommendations with little thought as to what’s...

These 5 Sustainable IT benefits will boost your business.

These 5 Sustainable IT benefits will boost your business.

The urgent need to minimise the impact our technology has on our environment stretches far beyond the moral obligation. With the future development of our organisations in mind, if we are to continue to rely heavily on the networked technologies that simplify our...

Are Hardware Vulnerabilities Your Cybersecurity Blind Spot?

Are Hardware Vulnerabilities Your Cybersecurity Blind Spot?

As cybercriminals commonly target software vulnerabilities, the assumption is easily made that cybersecurity threats come in the form of phishing, malware or ransomware. Consequently, corporate cybersecurity strategies can neglect the very foundation of the network,...