Go to page content

Been in a data breach? Get compensated

Data breaches are increasingly common and the law can allow victims to claim compensation for any loss caused by the breach and the distress it has caused. But what exactly is a data breach and how do you know if your data has been in one?

Compensation breach blog

A new commodity spawns a lucrative, fast-growing industry, prompting antitrust regulators to step in to restrain those who control its flow. A century ago, the resource in question was oil. Now similar concerns are being raised by the giants that deal in data, the oil of the digital era.

Several large data breaches occurred in the past few years, including on 19t May 2020, when easyJet announced they were the victim of one of the UK's largest-ever data breaches. Around nine million easyJet customers had their data accessed, including names, email addresses, travel details and, in some cases, their credit card details.

More recently Funky Pigeon experienced a ‘cyber incident’. The WH Smith-owned card site reported the breach to "the relevant regulators and stopped taking orders while they investigated the extent to which any personal data - specifically names, addresses, email addresses and personalised card and gift designs - has been accessed.”

But these occurrences are rife. According to the RPC, the international law firm, 42.2m people in the UK had their financial data compromised in a breach last year- up 1,777%!

But what exactly does a data breach mean?

A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, sold, or used by an individual unauthorised to do so.

A data breach could include your medical records being sent to the wrong person which causes you stress and embarrassment or data that a company holds for you online being accessed by criminals to be used for fraud causing you stress, worry and financial loss. A small company or large organisation may suffer a data breach.

There is real value in your data and after a breach, you may be targeted by hundreds of junk emails, and spam causing you stress and inconvenience and even financial loss and digital harm.

Most data losses occur by human error. With data storage online becoming commonplace for organisations, concerns about cybercrime and the misuse of personal data are on the rise.

Personal data breaches you most often hear about are those where an unauthorised third party, such as a hacker, has gained access. Another data protection breach example is when technology containing personal data is lost or stolen.

But it's also a personal data breach when companies send your data to someone else without your consent, or when your data is altered without your permission.

If you become aware that an organisation has lost your data because of a breach, there are steps you can take to protect yourself and, in some cases, claim compensation.

How do you know your data is included in a data breach?

Thankfully, legislation exists to protect you. Companies should write to you if your data is breached, and the full impact of the data breach isn't apparent until a few months after the loss, with financial losses usually occurring three to six months later.

Alternatively, you can check yourself. A website called "Have I been pwned" can help internet users determine if their data has been exposed in an online breach. Maintained by security analyst Troy Hunt, the database lets you check if one of your email addresses or passwords has been compromised, or "pwned," in internet speak. Go to: www.haveibeenpwned.com.

Alternatively, there are plenty of solicitor's websites that provide a free data breach tool for you to 'check and claim'. Simply go to Google and type in 'Data Breach Claim'.

Can I claim compensation if my data has been breached?

Under GDPR law, if an organisation that holds your data causes it to be disclosed in an unauthorised way whether that's by error or accident by someone, you can claim compensation for any loss caused by the breach and the distress it has caused.

The GDPR legislation gives you a right to claim compensation from an organisation if you have suffered damage because of it breaking data protection law. This includes both "material damage" (e.g., you have lost money) and "non-material damage" (e.g., you have suffered distress).

If you've suffered distress or financial loss because of your data being compromised, the first thing you must do is contact the organisation that you believe is responsible.

Outline what distress and/or losses you've suffered, and how you expect it to compensate you. It's important to note that you can now make a claim relating to distress alone - you do not need to have also suffered financial loss.

Alternatively, you can use a specialist claims company to make an application for compensation.

How much compensation can I get for a data breach?

Data breaches can lead to big money – it has been reported that 'Millions of easyJet customers could be owed up to £2,000 compensation', for example.

The amount of compensation you can claim for a data breach will depend on the nature of the breach and what impact it had on you. The law around data breaches is still relatively new, so there are no fixed guidelines around the amount of compensation that should be awarded.

In England and Wales, compensation amounts can range from £750 to over £10,000 for a data breach claim depending on how serious the data breach was – so it's worth taking it seriously and considering taking legal advice.

There are plenty of companies out there offering free legal advice and will make a claim for you on a 'no win no fee’ basis. Simply do a Google search for 'no win no fee' solicitors who handle data breaches.

What can you claim compensation for?

You can claim for both financial loss and personal distress in a data breach claim.

This can include:

● Financial loss and/or bad credit

● Identity theft and fraud

● Damage to your or your business' reputation

● Distress

● Discrimination

Be aware if you’re looking to make a data breach claim, you’ll need to show evidence of any financial loss and distress. For example, a doctor’s note if the breach has caused you mental health problems such as anxiety or depression

Time Limits for a Data Breach Claim

You have six years from when your data was breached or when you first felt the impact of the breach to make a data breach claim under UK GDPR. There are strict time limits in place for a data breach claim, so it's important to get expert legal advice as soon as you can so you don't miss any important deadlines.

Prevention is the best course of action

If your data has been lost and you use the same or similar login information - such as passwords and usernames - for other websites or online accounts, you should change those details immediately. You should also keep a watchful eye for any suspicious bank transactions and be careful taking any calls from people asking for your data.

You can also use Rightly Protect to remove your data from those companies you don't need or want to have your personal information.

Simply use the free Rightly Protect service to analyse your email inbox and find a list of companies that have your data. You can then simply choose any or all in the list and ask them to delete your data. The fewer companies that have your data the less chance you’ll be included in a data breach.

You can also carry out a risk assessment to evaluate how much damage has been done and whether it’s too late to do something about it.