Data Breaches and Implications
Key Contact: Lowri Morgan-Macdonald
Author: Abby Stephens
The Information Commissioner’s Office (the ICO), the independent authority responsible for regulating data protection in the UK, has imposed a significant number of fines on companies in recent years for failing to protect customer information. For example, British Airways (BA) was fined £20 million by the ICO in October 2020 for failing to protect the personal and financial details of more than 400,000 of its customers. In the same month, the ICO fined Marriot International Inc. £18.4 million for failing to keep millions of customers’ personal data secure.
Similarly, in January this year, it was announced that Norway’s Data Protection Authority plans to fine the LGBT social networking and dating platform Grindr 100m Norwegian Crowns, or around 10% of Grindr’s estimated global revenue (the equivalent of around £8.5 million), for illegally selling user data to advertisers. The data breach was revealed last January, after the Norwegian Consumer Council made three complaints against Grindr for sharing personal information with advertisers.
However, it is not just substantial regulatory fines that companies need to be aware of; data breaches can also result in reputational damage and the threat of expensive civil litigation, as we have seen recently with BA. To avoid this, it is vital that (amongst other things) data controllers and processors assess whether they are doing enough to prevent cyber-attacks and protect their customers’ personal data.
Under data protection law, customers are entitled to take their case to court to (i) enforce their rights under data protection law if they believe they have been breached; and / or (ii) claim compensation for any damage caused by an organisation if they have broken data protection law (including any distress suffered). Where both a data controller and a data processor involved in the same processing are jointly responsible for any damage, then each of them is jointly and severally liable. Damages awards for such claims vary; however, the individual victims of the BA data breaches are reportedly in line for up to £2,000 each. This may seem a small sum, but where there are multiple claimants, such awards can quickly add up, on top of the legal fees involved in defending such claims as well as any regulatory fines already levied by the ICO.
Last month, it was also reported that Facebook is being sued again for “losing control” of the data of around a million users in England and Wales. The action seeks damages from Facebook for its failure to comply with data protection laws and for failing to look after customer data.
Another major impact following a data breach is the effect on the company’s reputation. A company’s brand and reputation are unquestionably and inextricably linked to how it manages and mitigates its cyber risk and protects the personal data of its customers. For example, a company that suffers a data breach, particularly one that is widely reported and involves sensitive and / or financial data, risks losing existing and potential customers who may lose confidence in that company’s ability to adequately protect their personal data. It is therefore essential that companies have measures, policies and procedures in place not only to prevent (or mitigate as far as possible) the risks of a data breach occurring, but also to manage their reputational risk in the event that such a breach does occur.
How we can help
If you have any questions in relation to the above or you would like further information on how you can protect personal data, please contact Lowri Morgan-Macdonald in our Commercial and Technology team.