Data Breach

Data ProtectionOver the past few years, there has been an increasing number of claims against businesses and public bodies for distress caused by data breaches. The pattern is, by now, a familiar one. A claimant will make a claim for breach of data protection legislation, seeking damages at a relatively low value for the distress and anxiety they say has been caused by the data breach. This claim will be accompanied by claims for one or more of: misuse of private information, breach of confidence and negligence. Added on to the damages claimed will be the legal costs of the claimant’s lawyers, together with the after-the-event (“ATE”) insurance premium for the policy the claimant will have procured to bring a privacy claim. As a result, the defendant is faced with a difficult decision – pay over the odds for a claim where the claimant has suffered no financial loss, or fight litigation with the risk of mounting costs on both sides if the decision goes against them.

Following a cyber-attack in 2017 and 2018, this is the situation that faced DSG Retail Limited (“DSG”), and which has led to an important judgment for these data breach claims, Warren v DSG Retail Ltd [2021] EWHC 2168 (QB).
Continue Reading Narrowing the Scope of Data Breach Claims? – Warren v DSG Retail Ltd

As reported on our sister blog Consumer Privacy World, Home Depot recently reached a settlement in a lawsuit related to a September 2014 data breach that affected the payment card information of nearly 40 million customers.

In addition to a financial settlement, Home Depot agreed to implement and maintain various cybersecurity protocols, including:
Continue Reading Home Depot’s Agrees to Multistate Settlement Related to 2014 Breach – The Cost: $17.5 Million and Updated Cybersecurity Requirements

Laptop Data TransferA financial institution has asked a Virginia federal court to overturn a magistrate judge’s order to disclose its forensic report, detailing its 2019 data breach.  If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events and attorney work product privileges.  Here we provide the following practical takeaways:
Continue Reading Data Breach: Is Your Forensic Report Privileged?

Padlock on PaperworkA cyber-attack on budget airline EasyJet that has resulted in the exposure of the email addresses and flight details of 9 million of its customers and the credit card details of 2,208 of them is a reminder to all of the vulnerabilities, risks and obligations in relation to personal data.

Two years on from the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA), and the Network and Information Systems Regulations 2018 (NIS) coming into force, there is an expectation that cybersecurity programmes exist in organisations to protect data.  Implementation of programmes that adequately protect against potential attackers and ensure compliance with the GDPR, DPA and NIS remains a key challenge faced by businesses operating in the UK and beyond.
Continue Reading EasyJet Cyber-Attack: How to Avoid an Easy Hack

Computer securityThe ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate.

Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources (both in terms of staff and funds), it is important that organisations do what they can to try to maintain data security protections whilst taking the actions necessary to deal with this crisis. This may include the need to send unusual and sometimes urgent communications to individuals, which can increase the risk of breaching data protection laws.
Continue Reading A Timely Reminder: Maintain Data Security in the Face of the Pandemic

Data ProtectionVirgin Media is reportedly one of the latest UK companies to suffer a data security breach. On 5 March 2020, it published a statement on its website explaining that one of its databases had been accessed without Virgin Media’s authorisation, due to a configuration issue. It is reported that the database had been left unsecured since April 2019 and that it contained information about (approximately) 900,000 existing and potential customers. Virgin Media states that the compromised information was mostly limited to contact and product data and importantly, did not contain financial information or passwords.

The statement sets out a number of frequently asked questions, with easy to understand responses. The ICO and affected data subjects have been notified and the statement provides customers with information about possible scams and phishing attacks aimed at helping them to better protect themselves and be aware of the risks in a heightened risk environment, in light of the incident.
Continue Reading Virgin Media suffers Data Security Breach

 An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the maximum available to the Commissioner, under the Data Protection Act 1998, who in her findings observed that “but for the statutory limitation on the amount, it would have been reasonable and proportionate to impose a higher penalty”. This decision is important for retailers, particularly on payment information. It is also helpful to understand the factors involved in the breach of security, and offers some insight as to the ICO’s assessment of “appropriate technical and organisational measures” which of course remain crucial requirements for the security of personal data under the GDPR.
Continue Reading ICO Issues Fine Against National Retailer for Security Failings

In recent days, all eyes have been on the escalating tension between Iran and the US.  While we wait and watch politics unfold, the Department of Homeland Security (DHS), New York’s Department of Financial Services and the Cybersecurity and Infrastructure Security Agency (CISA) have all issued notices concerning the heightened risk of an Iranian cyberattack.