Data Breaches and Implications

Print Friendly, PDF & Email

Data Breaches and Implications

Key Contact: Lowri Morgan-Macdonald

Author: Abby Stephens

The Information Commissioner’s Office (the ICO), the independent authority responsible for regulating data protection in the UK, has imposed a significant number of fines on companies in recent years for failing to protect customer information. For example, British Airways (BA) was fined £20 million by the ICO in October 2020 for failing to protect the personal and financial details of more than 400,000 of its customers. In the same month, the ICO fined Marriot International Inc. £18.4 million for failing to keep millions of customers’ personal data secure.

Similarly, in January this year, it was announced that Norway’s Data Protection Authority plans to fine the LGBT social networking and dating platform Grindr 100m Norwegian Crowns, or around 10% of Grindr’s estimated global revenue (the equivalent of around £8.5 million), for illegally selling user data to advertisers. The data breach was revealed last January, after the Norwegian Consumer Council made three complaints against Grindr for sharing personal information with advertisers.

However, it is not just substantial regulatory fines that companies need to be aware of; data breaches can also result in reputational damage and the threat of expensive civil litigation, as we have seen recently with BA. To avoid this, it is vital that (amongst other things) data controllers and processors assess whether they are doing enough to prevent cyber-attacks and protect their customers’ personal data.

Litigation

Under data protection law, customers are entitled to take their case to court to (i) enforce their rights under data protection law if they believe they have been breached; and / or (ii) claim compensation for any damage caused by an organisation if they have broken data protection law (including any distress suffered). Where both a data controller and a data processor involved in the same processing are jointly responsible for any damage, then each of them is jointly and severally liable. Damages awards for such claims vary; however, the individual victims of the BA data breaches are reportedly in line for up to £2,000 each. This may seem a small sum, but where there are multiple claimants, such awards can quickly add up, on top of the legal fees involved in defending such claims as well as any regulatory fines already levied by the ICO.

Last month, it was also reported that Facebook is being sued again for “losing control” of the data of around a million users in England and Wales. The action seeks damages from Facebook for its failure to comply with data protection laws and for failing to look after customer data. 

Reputational damage

Another major impact following a data breach is the effect on the company’s reputation. A company’s brand and reputation are unquestionably and inextricably linked to how it manages and mitigates its cyber risk and protects the personal data of its customers. For example, a company that suffers a data breach, particularly one that is widely reported and involves sensitive and / or financial data, risks losing existing and potential customers who may lose confidence in that company’s ability to adequately protect their personal data. It is therefore essential that companies have measures, policies and procedures in place not only to prevent (or mitigate as far as possible) the risks of a data breach occurring, but also to manage their reputational risk in the event that such a breach does occur.

How we can help

If you have any questions in relation to the above or you would like further information on how you can protect personal data, please contact Lowri Morgan-Macdonald in our Commercial and Technology team.  

Recent Posts

tate modern
Fearn & Others v The Board of Trustees of The Tate Modern Art Gallery 2023
February 7, 2023
Social Media Icons
A Tale Of Two Tweets (And A Facebook Post)
February 3, 2023
novel vgc
Acuity Law Advises Novel On Investment From VGC Partners
February 2, 2023
court of appeal
Coronavirus Not a ‘Serious and Imminent Threat’ To Justify AWOL Employee
January 27, 2023
eu flags
Retain, Revoke, or Reform? The Uncertain Fate of EU Employment Law
January 27, 2023
flexible working
Flexibility From Day One
January 27, 2023

Archives

Categories

Skip to content