The Legal Consequences of a Data Breach in the UK

The COVID crisis of 2020 and the resulting shift towards remote working has precipitated a huge rise in the number of hacking attempts organisations have to face. In the UK alone the number of attempted cyber-attacks rose by 19%, with a total of 686,961 attacks taking place over the course of the year.1

With the average cost of a data breach in the UK now at £2.8 million, organisations need to protect themselves just to ensure they can remain operational.2 Unfortunately, protecting an organisation against all forms of cyber crime at all times borders on the impossible.

However, those with comprehensive action plans and security measures in place are best able to mitigate the consequences of a breach. The legal implications of a breach can often be overlooked, but in the UK these are now clearer than ever under General Data Protection Regulation (GDPR). 

In this article, we’ll be walking through the legal ramifications of a data breach and what preemptive steps organisations can take to protect themselves. Let’s get started. 

GDPR requirements 

In May 2018, the European Union (EU) introduced GDPR to reinforce the rights of individuals over how their personal data was used and stored. Following the UK’s departure from the EU, GDPR was subsequently incorporated into the domestic law in the UK.

Under current GDPR regulations, organisations that experience a serious data breach can face a number of repercussions. These include:

  • First-party costs: Including fines and the requirement to report the breach to the Information Commissioner’s Office (ICO) within 72 hours, with details of how the breach is being dealt with.
  • Third-party litigation: Significant data breaches that lead to the theft of personal data can result in third-party litigation.
  • Reputational damage: Modern customers are far more aware of how their personal data is stored and the personal risks of that information being stolen. This is reinforced by the fact that 33% of UK organisations say that they have lost customers after a data breach.3
  • Personal and professional liability: Organisations, advisory firms, directors and officers are all liable for legal action if they are found to be negligent in the handling of their customers’ personal data.

Fines and penalties 

If an organisation is found to have breached GDPR, they can potentially receive a fine of up to £17.5 million or 4% of their annual global turnover, whichever figure is greater. 

Examples 

  • In response to British Airways’ (BA) website being hacked and traffic being diverted to a dummy website, which resulted in the loss of 400,000 customers’ personal information, the UK ICO issued a £183.39 million fine to the airline.4 The ICO found that BA was “processing a significant amount of personal data without adequate security measures in place” in violation of Article 31 of the GDPR.
  • After the loss of the personal information of 339 million guests during a security breach, the ICO fined Marriott International £99 million.5 The ICO found the organisation failed to undertake sufficient due diligence after the acquisition of the Starwood hotels group.

Suggested reading: For more on how a data breach can impact organisations financially, check out our blog — The Financial Impact of a Data Breach in 2021

CTA for eBook of man typing on a computer keyboard

Compensation claims 

Under GDPR, customers who have been impacted by a data breach have the right to take the organisation that has allowed their sensitive information to be accessed to court in order to claim compensation.

Affected individuals can claim for both material damage, such as the loss of money, and non-material damage, such as emotional distress caused by the loss of their data.

Examples 

  • After a fine of $16 million (£11.5m), US health insurer Anthem paid an additional $115 million (£83m) to settle a class-action lawsuit relating to a 2015 data breach.6
  • After a 2017 data breach that resulted in the loss of 40 million credit and debit card accounts, retail giant Target paid out over $200 million (£144m) in third-party litigation costs in addition to a fine of $18.5 million (£13.3m).

The threat of prosecution 

While not as common as the first two ramifications detailed above, GDPR still provides for the threat of personal prosecution as a result of a data breach. 

Where a complaint has been made, the ICO does have the authority to pursue individuals through the Courts. 

The majority of these prosecutions are made under section 55 of the Data Protection Act 2018, which added the offence of “knowingly or recklessly retaining personal data without the consent of the data controller.”

Examples

  • After illegally emailing personal client data to herself and using that information in a new position for a different employer, a recruitment consultant was prosecuted under section 55 and ordered to pay £444 in costs.7
  • An employee of Heart of England NHS Foundation Trust (HEFT) was prosecuted under sections 55 and 60 for viewing the personal data of five adults and five children. She was ordered to pay a £1,000 fine, as well as an additional £590 towards the prosecution costs.

An effective cyber security strategy is essential 

As you can see from the data and examples outlined above, there are significant costs and implications that can arise as a result of the mishandling of data.

The ICO is in a position to levy significant fines against any organisation that has been found to be in breach of the provisions of GDPR. 

In addition to those fines, there is already a significant history of organisations facing individual and class action lawsuits from customers impacted by a data breach, adding to the overall losses they are already likely to suffer.

Once the direct fines and litigations have been cleared up, the reputational damage caused by a mishandled data breach can result in the loss of customers, sales and revenue, further exacerbating the problem.

Under GDPR, directors, advisors, and staff can all find themselves personally liable for the mishandling of sensitive data, and can potentially face the prospect of being prosecuted for negligence or misuse. 

The question is, what should your organisation do to mitigate and minimise these risks to avoid disastrous consequences?

As we’ve already noted, there is, unfortunately, no guaranteed way to secure your organisation entirely against the threats posed by the ever-evolving cyber crime landscape.

However, putting in place a robust cyber security strategy can help to shield organisations from the legal fallout of a potential data breach, and ensure compliance with the standards set out in GDPR.

Fortunately, there is help available. Here at Six Degrees, we work with a range of organisations to provide resilient, industry-leading cyber security outcomes. 

We are fully equipped to provide our customers with robust, end-to-end cyber security services, including consultation on the development of cyber security strategies. Our solutions provide a proactive approach to help you reduce the threat of a data breach — get your Aegis cyber security maturity assessment today.

By working with Six Degrees, organisations can put their cyber security strategies in the hands of our expert team, and most importantly get back to applying their time and resources to developing and optimising commercial outcomes. Get in touch with our team today.

Additional reading: To learn more about our cyber security methods, take a look at our blog — The Six Degrees Approach to Cyber Security

CTA for call of woman in office working on computer

Subscribe to the newsletter today

Related posts