How to defend against privacy violation claims

How to defend against privacy violation claims

Created byВ FindLaw’s team of legal writers and editors | Last updated March 20, 2019

Let’s say you accidentally leave a personal letter containing private information on a public park bench, and that letter is picked up and read by someone else. Even if the sharing of this information damages your reputation or causes other harm, it is not a violation of your privacy. That requires a “reasonable expectation of privacy”, which would apply if the letter was not left out in public.

But if you’re having a private conversation in your home and a neighbor uses an electronic device to eavesdrop (and this causes injury), then your expectation of privacy has been violated. This is because you have a reasonable expectation that your neighbor is not using surveillance on your home.

An invasion of privacy occurs when there is an intrusion upon your reasonable expectation to be left alone. This article covers the four main types of invasion of privacy claims, an intentional tort primarily controlled by state laws.

The four main types of invasion of privacy claims are:

  1. Intrusion of Solitude
  2. Appropriation of Name or Likeness
  3. Public Disclosure of Private Facts
  4. False Light

The following information explores these types of claims and the basics of invasion of privacy law in general.

1. Intrusion of Solitude

Intruding upon another’s solitude or private affairs is subject to liability if the intrusion is considered highly offensive to a reasonable person. This tort is often associated with “peeping Toms,” someone illegally intercepting private phone calls, or snooping through someone’s private records.

Taking photographs of someone in public would not be invasion of privacy; however, using a long- range camera to take photos of someone inside their home would qualify. Making a few unsolicited telephone calls may not constitute a privacy invasion, but calling repeatedly after being asked to stop would.

Example: A man with binoculars regularly climbs a tree in his yard and watches a woman across the street undress through her bathroom window.

2. Appropriation of Name or Likeness

Plaintiffs may make a claim for damages if an individual (or company) uses their name or likeness for benefit without their permission. Usually this involves a business using a celebrity’s name or likeness in an advertisement. Some states even limit this type of privacy tort to commercial uses.

This is not always the case. For example, a private detective who impersonates someone else to obtain confidential information has invaded that person’s privacy. The recognition of this tort is like a property right; in other words, a person’s name and likeness is treated as that person’s property. For celebrities, this is often referred to as “right of publicity”.

Example: An advertising agency approached musician Tom Waits to participate in a campaign for a new automobile. Waits, who has a distinctive and easily recognizable voice, declined. The advertisers hired someone who sounds like him to do the soundtrack, prompting Waits to sue the automaker for appropriating his likeness.

3. Public Disclosure of Private Facts

This type of invasion of privacy claim must be weighed against the First Amendment’s protection of free speech. Unlike defamation (libel or slander), truth of the disclosed information isn’t a defense. If an individual publicly reveals truthful information that is not of public concern and which a reasonable person would find offensive if made public, they could be liable for damages.

For example, a woman about to deliver a baby via caesarian section agrees to allow the operation to be filmed for educational purposes only, but instead it’s shown to the public in a commercial theater. This is an invasion of her privacy. However, publishing an article about a politician known for his family values who is having an affair with a staffer is of public concern and therefore not an invasion of his privacy. Some states including New York don’t recognize this type of claim.

Example: The maiden name of a former prostitute who was acquitted of murder was revealed in a film about the case. Since the trial, she had moved to another city, gotten married and adopted a new lifestyle. Her new friends were unaware of her past, so the disclosure of this true but embarrassing information was deemed an invasion of her privacy.

4. False Light

A false light claim is similar to a defamation claim in that it allows an individual to sue for the public disclosure of information that is misleading (or puts that person in a “false light”), but not technically false. The key difference is that defamation claims only apply to the public broadcasting of false information and as with defamation, sometimes First Amendment protections prevail.

Generally, a false light claim must contain the following elements: (1) the defendant made a publication about the plaintiff; (2) it was done with reckless disregard; (3) it placed the plaintiff in a false light; and (4) it would be highly offensive or embarrassing to a reasonable person.

Example: A 96-year-old woman sued an Arkansas newspaper for printing her picture next to the headline, “Special Delivery: World’s oldest newspaper carrier, 101, quits because she’s pregnant!” The woman, who was not pregnant, was awarded damages of $1.5 million.

Get Legal Help with an Invasion of Privacy Claim

Privacy issues are complicated and emotional, which can result in highly contentious court proceedings. Whether your privacy has been violated, or someone is accusing you of violating their privacy, you may benefit from a lawyer’s assistance in preparing your case. Contact a local defamation attorney with invasion of privacy law experience to learn how they can help you defend your rights in court.

How to defend against privacy violation claims

Prior to the introduction of the General Data Protection Regulation (GDPR), an individual whose information was the subject of a data breach in this jurisdiction could only claim compensation for material damage i.e., actual quantifiable damage. A data breach is an incident where information is leaked or stolen and usually happens accidentally or as a result of a cyber-attack by a third party. Article 82 of the GDPR, and section 117 of the Irish Data Protection Act 2018 (DPA), introduced a new right to compensation for individuals, which has opened the door for claimants to seek compensation for what is considered non-material damage, such as distress and upset. As a result, corporate entities in Ireland are becoming increasingly involved in defending claims brought by individuals before the Irish courts seeking compensation arising from data breaches. A single data breach can result in multiple claims being brought by the individuals affected, which represents a considerable risk for entities that collect and store personal information.

A recent decision of the English High Court, Rolfe v Veale Wasbrough Vizards LLP, provides useful guidance on an individual’s right to compensation for distress and upset arising from breaches of their data protection rights. In particular, the court found that claimants must show damage or distress over a de minimis threshold to succeed in a claim for compensation. In Rolfe, the claim concerned a data breach involving a limited amount of personal data. It was held that the claimants, Mr and Mrs Rolfe, failed to prove damage over the de minimis threshold and were not entitled to compensation. In granting the defendant’s application to dismiss Mr and Mrs Rolfe’s claim, the court also awarded costs against them in circumstances where the court found the claims were exaggerated and lacked credible evidence of distress.

Although not binding in this jurisdiction, the consideration of an individual’s right to compensation in Rolfe may be considered persuasive by the Irish Courts and will be welcomed by parties defending data breach claims in this jurisdiction.

Rolfe v Veale Wasbrough Vizards LLP

Mr and Mrs Rolfe owed fees to a school represented by the defendant law firm, Veale Wasbrough Vizards LLP. The school had been instructed to write to the couple with a demand for payment. Due to a typographical error, the defendant accidentally sent an email intended for the Rolfes to a third party. The email attached a request for payment of outstanding school fees and contained a limited amount of Mr and Mrs Rolfe’s personal data, including their names and address. The misdirected email was promptly deleted by the recipient who was unknown to the couple.

Mr and Mrs Rolfe brought a claim seeking damages for distress under Article 82(1) GDPR and section 169(1) UK Data Protection Act 2018, which is similar to section 117 of the Irish DPA, together with common law actions in breach of confidence, misuse of confidential information, and negligence. In seeking to establish distress, they asserted they had “lost sleep worrying about the possible consequences”, that the disclosure “had made them feel ill”, and they were suffering “fear of the unknown” regarding the consequences.

The defendant law firm disputed that the incident caused Mr and Mrs Rolfe to suffer harm in excess of the de minimis threshold and applied to have the claim dismissed on the basis that the claim had no real prospect of success.

De minimis principle

The court confirmed that it is possible to recover damages for non-material damage flowing from a data breach. However, a claimant must be able to show that they have suffered loss or damage over a de minimis threshold, meaning it must not be trivial. The court quoted with approval the Court of Appeal’s recent judgment in Lloyd v Google, which endorsed a seriousness threshold that would exclude “for example a claim for damages for an accidental one-off data breach that was quickly remedied“.

The court concluded that the claimants in Rolfe could not prove damage over a di minimis threshold taking into consideration the “minimally significant” nature of the information and circumstances of the breach, including the prompt deletion of the email.

Ordinary fortitude test

In holding that the distress suffered fell below the de minimis threshold, the court observed that no person of “ordinary fortitude” would reasonably suffer the distress claimed in these circumstances. The court added that it was “inappropriate” in the modern world for a party to claim compensation for breaches of this sort.

Costs

The court not only granted the defendant’s application to dismiss Mr and Mrs Rolfe’s claim, but also ordered that they pay GBP£11,000 in costs to the defendant given the “strong observations of [the] court as to the nature of the claim in terms of exaggeration” and “lack of credible evidence of distress”.

Lloyd v Google LLC

Separately, in another welcome development for parties defending data breach claims, the UK Supreme Court recently delivered its decision in Lloyd v Google LLC. In that case, the UK Supreme Court found that damages were not awardable for a mere loss of control of personal data under the UK data protection regime. The court further held that UK Data Protection Act 1998 (UK DPA) could not “reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress…”.

As with Rolfe, the decision in Lloyd is not binding in this jurisdiction and the decision itself concerns the UK Supreme Court’s interpretation of the UK DPA, which pre-dates the GDPR. However, as the UK DPA provides that individuals can seek compensation for distress arising from a data breach, it is certainly indicative of judicial thinking about an individual’s right to compensation for non-material damage and may be considered persuasive by the Irish Courts.

Conclusion and key takeaways

In circumstances where there has been no Irish case law to date on what constitutes non-material damage and distress under the GDPR and the DPA, the decisions in Rolfe and Lloyd provide useful guidance and may be considered persuasive authority by the Irish courts.

Key takeaways include:

Rolfe confirms the principle that where there is an infringement of data protection law, there must be damage above a “de minimis threshold of triviality” for a claim in damages to succeed.

The decisions in Rolfe and Lloyd will be welcomed by parties defending data breach compensation claims in Ireland for distress under Article 82 GDPR and section 117 of the DPA.

It is possible that the “ordinary fortitude test” employed by the court in Rolfe may form part of the test for distress in data breach cases going forward.

Rolfe may be persuasive authority in this judication for data controllers to seek costs orders against claimants that do not provide compelling evidence of distress above a de minimis threshold or where such claims are exaggerated.

For more information, contact a member of our Commercial Litigation or Technology teams.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

The Civil Rights Division enforces federal laws that protect you from discrimination based on your race, color, national origin, disability status, sex, religion, familial status, or loss of other constitutional rights.

If you believe your civil rights, or someone else’s, have been violated, submit a report using our online form.

or learn more about your rights

If you are in danger, contact 911

If you or someone else is in immediate danger, please call 911 or local police.

If you are reporting misconduct by law enforcement or believe you have experienced a hate crime, please contact the FBI.

About the Civil Rights Division

We protect your rights through:

We sue or prosecute individuals and organizations who violate civil rights laws.

You can help us do this work by reporting a possible civil rights violation through our online form.

We help the public understand how to comply with these laws.

We do this through public speaking, technical assistance, and more.

We help the entire federal government work together to enforce these laws.

Our teams work with other agencies to promote a consistent approach to civil rights laws.

Understanding your rights

Civil rights laws can protect you from unlawful discrimination, harassment, or abuse in a variety of settings like housing, the workplace, school, voting, business, healthcare, public spaces , and more.

If you have been mistreated by law enforcement (including while incarcerated), believe you have been a victim of a hate crime , or a victim of human trafficking , we can help get you to the right place.

Choose from this list to see example civil rights violations:

  • Workplace discrimination or other employment-related problem
  • Housing discrimination or harassment
  • Discrimination at a school, educational program or service, or related to receiving education
  • Mistreated by police, correctional staff, or inmates
  • Voting rights or ability to vote affected
  • Discriminated against in a commercial location or public place
  • Victim of a hate crime
  • Victim of human trafficking

Fired, not hired, or demoted for reasons unrelated to job performance or qualifications

Retaliated against for reporting discrimination

Inappropriately asked to provide immigration documentation

Denied reemployment or fired based on military service

Denied an accommodation for a disability, including not being allowed to have a service animal in the workplace

If you think you’ve experienced a similar situation, learn how to report a civil rights violation.

Protected by civil rights laws

These are the most common characteristics that are legally protected.

  • Race/color
  • Disability including temporary or in recovery
  • Religion
  • Sex, gender identity, and sexual orientation
  • Immigration/citizenship status
  • Language and national origin including ancestry and ethnicity
  • Family, marital, or parental status including pregnancy
  • Age
  • Genetic identification
  • Servicemember status

How to report a civil rights violation

If you believe that you or someone else experienced unlawful discrimination, you can report a civil rights violation.

Report using our online form.

By completing the online form, you can provide the details we need to understand what happened. You will receive a confirmation number and your report is immediately sent to our staff for review.

We review your report.

Teams that specialize in handling your type of issue will review it. If it needs to be forwarded to another team or agency, we will try to connect your complaint to the right group.

We determine next steps and get back to you.

Possible outcomes include: following up for more information, starting a mediation or investigation, directing you to another organization for further help, or informing you that we cannot help.

Have you or someone you know experienced a civil rights violation?

If you cannot access the online form, you can call to report a violation or report a violation by mail.

Already submitted a report?

Here’s what to expect.

Thank you for your report. We carefully read each one to determine if we have the authority to help. We do our best to let you know about the outcome of our review. However, we may not always be able to provide you with updates because:

  • We’re actively working on an investigation or case related to your report.
  • We’re receiving and actively reviewing many reports at the same time.

If we are able to respond, we will contact you using the contact information you provided in this report. Depending on the type of report, response times can vary. If you need to reach us about your report, please refer to your report number when contacting us. This is how we keep track of your submission.

Need urgent legal help?

Due to the amount of reports we receive, it can take several weeks for us to respond to your issue. Local legal aid offices or lawyers in your area may be able to quickly respond to or help with your concern

There is nothing more damaging emotionally or mentally than having your personal and private health information shared with others without your permission. It can cost a person their job, personal relationships can be destroyed, and untold damage can be done to your personal life.

That is why there are many Florida and federal laws, such as HIPAA/HITECH, which protect your health information from unauthorized release or disclosure. Hospitals and doctors have certain responsibilities for your medical information, such as verifying who is seeking access to your records, and having software in place to catch unauthorized persons who attempt to access your information. Unfortunately, often these hospitals and doctors don’t take the steps necessary to protect your information.

If you have been the victim of having your privacy violated by an unauthorized release of your medical information, you have rights.

At McKenzie Law Firm, we have been handling HIPAA privacy violation claims against doctors, hospitals, and healthcare providers for years. If your private medical information has been illegally obtained or shared with others and you have been injured and hurt by the violation of your medical privacy rights, contact us to schedule a free consultation with our firm.

We handle individual and large-scale medical privacy claims, including:

  • Online publication of protected health information
  • Unauthorized releases of medical records
  • Unauthorized sharing of protected health information
  • Unauthorized disclosures of HIV status and other medical conditions
  • Unauthorized disclosures of drug test results
  • Illegal Purchase and Sales of your protected health information
  • Medical data privacy breaches by hackers

Staff at the food manufacturing company could claim compensation over a data breach, highlight the risk such incidents pose.

A data breach at UK food manufacturer Greencore could end up proving costly for the company, with a group of current and former employees seeking legal advice on whether to sue the business if their personal information was compromised. Employee data breach claims are becoming increasingly common, adding an additional headache for businesses that can already face large fines if information is stolen.

How to defend against privacy violation claimsGreencore’s site in Bristol. The company could face a class action lawsuit after a data breach saw employee information accessed. (Photo by Matt Cardy/Getty Images)

In a letter to staff last month, Greencore admitted suffering a data breach in December, in which information including employee’s roles and salaries, bank account details and other personal information, was accessed by hackers. Further details of the incident, and the number of staff affected by the breach, are unknown, but the company employs more than 30,000 people across 35 sites throughout the UK and Ireland.

Data breach law firm Hayes Connor has taken up the case, and on Wednesday revealed it is working with up to 40 Greencore employees who suffered from the breach. Christine Sabino, a lawyer at Hayes Connor representing the potential claimants, said: “The information we have received is hugely concerning and further answers are clearly needed. This company employs thousands of people across a range of sites, but no real indication has been provided on how many have been affected.

“While we have heard first-hand from a number of people worried by these developments, there will likely be many more who are also concerned about what has happened,” she said.

Greencore case highlights risk of employee data breach claims
Fewer than half of London borough councils have cyber insurance
UK government departments confirm rise in lost laptops in three years

Greencore said it “takes matters of data security extremely seriously”. A company statement added: “We’ve been working alongside a team of IT forensic experts who continue to investigate the incident,” adding that identity monitoring resources have been available to those affected.

Employee data breach claims are becoming more common

Individual and class action suits against companies by employees over data breaches are becoming increasingly common in the UK. Just this month, 106 members of staff at UK Mercedes dealership LSH Auto began legal proceedings after personal data was accessed.

Content from our partners

How to defend against privacy violation claims

How enterprises can best prepare for finance digitalisation

How to defend against privacy violation claims

How AI can empower Middle East energy operators to deliver Oil & Gas 4.0

How to defend against privacy violation claims

How should enterprises go about exiting their data centre?

“It happens more often than you’d think,” says Chris Hauk, consumer privacy champion at Pixel Privacy. “Employees can claim negligence, saying that the company did not take the necessary steps to protect their data from a data breach. They could also claim that the company is in breach of contract as it was obligated to protect the employee’s information.”

Such suits can be costly. The University of Pittsburgh Medical Centre suffered a breach in 2014, where 66,000 employees filed a class action lawsuit in an employer data breach claim. Their case was successful and the claimants received $2.65m in August of last year.

Data, insights and analysis delivered to you View all newsletters By The Tech Monitor team Sign up to our newsletters Sign up here

Mishandling of employee data can be particularly costly when it comes to regulatory action too, Toni Vitali, data security lawyer and partner at law firm Gateley Legal. “When [UK data watchdog] the Information Commissioner’s Office (ICO) decides whether to bring a sanction or what level of fine to impose, it often takes into account what the bits of information are,” he adds. “And the more information that’s been disclosed, the higher the fine or the higher the sanction.”

Fines can be up to £17.5m or 4% of a company’s total annual worldwide turnover, whichever is higher, according to ICO guidelines.

What tech leaders can do to avoid employee data breach lawsuits

The information that companies hold about their employees is often highly sensitive, explains Vitali. “You might have gathered information about their religious beliefs or their ethnic background. You have information about their pay, their benefits, you are likely to be paying them regularly into a bank account each month.”

“If you were to write down the list of information that you have about your employees, it’s going to be five times, ten times as much information that you have about a customer,” Vitali adds.

This makes employee data attractive to criminals. Jason Steer, global CISO at security firm Recorded Futures says “there are a wide range of threat actors who would love to get hold of this personal data and so will go to great lengths to obtain it.”

Employers should be protecting employee data at all costs to avoid these sorts of issues. “A responsible employer should, at a very minimum, encrypt the data that it holds on behalf of its employees,” explains Simon Milner, cyber insurance agent at Miller Insurance.

What do information privacy laws do?

In Victoria, information privacy laws operate to protect the privacy of individuals’ information.

The Privacy and Data Protection Act 2014 protects the privacy of an individual’s personal information held by Victorian government organisations and is administered by the Office of the Victorian Information Commissioner (OVIC).

The Health Records Act 2001 (HR Act) protects the privacy of an individual’s health information held in the public and private sectors in Victoria and provides a right of access to individuals’ health information. Under the HR Act, the Health Complaints Commissioner can help to resolve complaints about the handling of health information.

Personal information and health information – what’s the difference?

Personal information is information or an opinion that is recorded in any form (including forming part of a database) about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion. It does not include information of a kind to which the HR Act applies.

Health information means information or an opinion about:

  • an individual’s physical, mental or psychological health, including any disability,
  • a health service an individual has received or will be receiving,

that is also personal information; or

  • other personal information collected to provide a health service.

What is a privacy data breach involving health information?

The HR Act contains 11 Health Privacy Principles (HPPs) that regulate how public and private sector organisations should handle personal health information in Victoria.

A privacy breach (also known as a ‘data breach’) occurs when there is a misuse, unauthorised disclosure or loss of personal health information.

A privacy breach can be accidental and, in some cases, malicious. It will usually involve a failure to comply with one or more of the HPPs.

Some examples are:

  • Sending an email or letter to an incorrect recipient.
  • Providing the personal details of an individual such as a mobile phone number to another person without the consent of the individual.
  • The loss or non-secure storage of personal information, which is either identified by the organisation or by a member of the public who, for example, finds health records in a public place.

What an organisation can do

We encourage organisations to report such privacy breaches to the HCC even though the HR Act does not impose any mandatory breach reporting requirements upon organisations who are regulated by the HR Act.

For private sector organisations in Victoria who experience a privacy breach involving health information, they may have obligations under the Commonwealth Notifiable Data breach scheme. More information is available on the Office of the Australian Information Commissioner webpage.

How to report a privacy breach to the HCC

You can notify us of a privacy breach by email or by telephone. There is no required form. You can call us on 1300 582 113 in the first instance or send an email to [email protected] . This should be done early on, which might be before you have all the details of what occurred. The HCC considers that notification to the HCC should occur within 14 days of the breach being identified.

Depending on the circumstances, we may need to have ongoing contact in relation to management of the breach and we usually require organisations to send us a report after the matter has concluded for us to review the steps taken.

Notification to the HCC should include:

  • Name of the organisation
  • Name of a contact person at the organisation
  • Type of health information involved
  • Description of the incident including copies of any relevant documents
  • Details about mitigation and changes in procedures to address the breach
  • Details about whether the affected individuals have been notified and a deidentified copy of any letter sent to affected individuals. We normally ask you to include contact details of the HCC in any notification to individuals, so they have the option of contacting us.

Resources for organisations

The Office of the Victorian Information Commissioner has useful information to guide organisations on how to respond to data breaches.

OVIC’s Managing the privacy impacts of a data breach webpage also has information on how an organisation can notify individuals affected by a data breach.

In the recent and significant Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) decision the High Court in England clarified the limited circumstances in which claims for breach of confidence, misuse of private information and the tort of negligence might be advanced by individuals for compensation for distress relating to a cyber-security breach where the proposed defendant was itself a victim of a third-party cyber-attack. The decision has made it harder to bring free standing/non-statutory cyber-security breach claims in England and Wales where the proposed defendant has not positively caused the breach, and has also brought into question how such claims may be funded going forward (particularly, via “After-the-Event insurance” (“ATE insurance”)).

Background

The defendant (“DSG”) is a retailer operating the ‘Currys PC World’ and ‘Dixons Travel’ brands. In 2017-2018 DSG was the victim of a complex cyber-attack – the attackers infiltrated DSG’s systems and installed malware which was running at thousands of point of sale terminals in stores, and accessed the personal information of DSG’s customers.

The Information Commissioner’s Office (“ICO”) investigated the attack and concluded that DSG breached the 7 th data protection principle (“DPP7”) of the Data Protection Act 1998 (“DPA 1998”), which requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”, and issued a £500,000 fine in respect of this breach, which is currently under appeal.

The claimant, Mr Warren, purchased goods from DSG and claimed that his personal information (name, address, phone number, date of birth, email address) had been compromised in the cyber-attack. He brought a claim against DSG as the relevant data controller for damages limited to £5,000, which covered four causes of action: (1) breach of confidence; (2) misuse of private information; (3) common law negligence; and (4) claim for breach of statutory duty under DPA 1998. DSG sought summary judgment against and/or an order to strike out claims 1-3.

Decision

The judge considered whether the breach of confidence, misuse of private information and common law negligence claims had a “real prospect of success” (CPR 24.2), and concluded that they did not. Those claims were struck out leaving only the claim for breach of statutory duty under DPA 1998.

  1. Breach of confidence and misuse of private information: The judge determined that both the breach of confidence and misuse of private information actions require some positive wrongful action, and that these claims cannot succeed without “use” or “misuse” of the information by the defendant – a failure to secure data (i.e. an omission) is not “use”. In this case it was not alleged that DSG took any positive wrongful actions – the wrong was rather a “failure”, a failure to keep data sufficiently secure from unauthorised third party access. This was not a sufficiently positive act to amount to a breach of confidence or misuse of private information.
  2. Common law negligence: The judge accepted DSG’s submission that there were two fatal problems with the negligence claim:
    • It was not necessary to impose a duty of care where statutory duties under DPA 1998 operate – there was no room or need to construct a concurrent duty in negligence when there is a bespoke statutory regime in existence determining the liability of data controllers.
    • The cause of action for recovery of damages for negligence requires that the claimant has suffered loss. The nature of the loss claimed by Mr Warren was distress only – he did not allege personal injury or any pecuniary loss suffered as a result of the alleged negligence. While distress could form the basis of a claim under DPA 1998, it was not sufficient to complete the cause of action in negligence.

Accordingly the negligence claim also fell to be struck out.

  1. Breach of statutory duty under DPA 1998: Mr Warren’s claim for breach of statutory duty arising from the alleged breach of DPP7 was not disputed and was allowed to proceed. However, it was stayed pending determination of the appeal against the ICO’s fine.

Comment

The decision significantly limits the legal causes of action available to claimants in relation to data breach claims arising out of cyber-attacks, where the defendant was the victim (rather than the perpetrator) of the cyber-attack. The court was unwilling to permit causes of action to be used in these kinds of claims beyond the established statutory regime under DPA 1998.

The decision is likely to be welcomed by corporate victims of third party cyber-attacks who may then be exposed to claims in respect of compromised personal data as it narrows the potential causes of action under which they could be held liable. It is also likely to change the way claimants advance these types of cases in the future, by limiting most actions to only cover a breach of statutory duty under DPA 1998.

The decision is also notable as the costs implications arising out of the dismissal of the breach of confidence and misuse of private information claims could bring the economic viability of pursuing low-value claims into question.

The losing party in English civil litigation is typically required to reimburse some or all of the winner’s costs. In turn, claimants in low value data claims often purchase ATE insurance as protection against such adverse costs awards. While ATE insurance premiums are typically not recoverable in data protection claims, they can be recoverable for misuse of private information and breach of confidence claims. There is therefore normally a strategic advantage for claimants to plead both of these causes of action alongside their data claims. However, if following the High Court’s decision in Warren v DSG Retail Limited the only remaining cause of action is for breach of statutory duty under DPA 1998 (in respect of which ATE insurance premiums are not recoverable), ATE insurance premiums will not form part of a successful claimant’s recoverable costs. As these premiums can often exceed the damages claimed in respect of a data breach, claimants may be dissuaded from pursuing low-value litigation in respect of data breaches caused by external cyber-attacks.

How to defend against privacy violation claims

Texas Attorney General Ken Paxton (R) on Monday sued Facebook’s parent company, Meta Platforms Inc., alleging that the social media giant for years collected Texans’ biometric data without their full consent, in violation of state privacy laws.

Get the full experience. Choose your plan ArrowRight

Paxton’s lawsuit, filed in district court in Harrison County, alleges that Facebook collected users’ biometric identifiers from photos and videos without properly informing them, shared the data with third parties and failed to delete it in a timely way, from about 2010 to late 2021 — when Meta announced it would shut down Facebook’s facial recognition system and delete the data it collected on more than 1 billion people.

In a statement, Paxton called the allegations “yet another example of Big Tech’s deceitful business practices.” At a news conference on Monday, he said the state will ask the court for damages in the “billions of dollars.”

The lawsuit comes at a sensitive time for Facebook, which changed its corporate name to Meta in October amid deepening crises for its social media business, rebranding itself as a forward-looking creator of a digital world known as the “metaverse.”

The company settled a class-action lawsuit that made similar claims in Illinois last year for $650 million. Facebook could not immediately be reached for comment early Tuesday. A spokesperson for Meta told The Washington Post in a statement that the Texas claims “are without merit and we will defend ourselves vigorously.”

The complaint claims that Facebook — which it estimated had some 20.5 million users in Texas in 2021 — knowingly violated the state’s Capture or Use of Biometric Identifier Act (CUBI) and Deceptive Trade Practices and Consumer Protection Act (DTPA) for over a decade with its now-defunct, facial-recognition-based photo and video tagging technology.

The DTPA bans “false, misleading, or deceptive acts or practices” in business, while CUBI makes it illegal for private entities to capture, disclose or profit from a person’s biometric identifiers without their informed consent. It mandates that biometric identifiers collected for commercial purposes be stored and shared carefully and destroyed “within a reasonable time,” defined in the law as “not later than the first anniversary of the date the purpose for collecting the identifier expires.”

In Illinois, Facebook unsuccessfully tried to quash a class-action lawsuit filed in 2015 on behalf of millions of users in the state who said the social media platform collected and stored their biometric data without their consent, in violation of the Illinois Biometric Information Privacy Act.

Under the Texas biometrics law, which like the Illinois law requires the informed consent of the people whose data is being collected, violations can incur civil penalties of up to $25,000 each. Meanwhile, violations of the DTPA enforced by the Texas Attorney General’s Office can result in fines up to $10,000 each.

The Texas complaint says Facebook created the illusion of a safe environment in which people could upload private photos of themselves and their families. Facebook, it claims, offered its users the option to tag their loved ones in the photos and then captured data relating to people’s identifiable facial features without their permission or informed consent, profited off it by sharing it with third parties and failed to properly dispose of it, “exposing Texans to ever-increasing risks to their well-being, safety and security.”

Facebook has defended its photo-tagging feature, including by arguing that users have had the option of opting out since 2017. In its statement from November announcing the end of the technology, the company said that over a third of its daily active users opted in and that it had put other safeguards in place for users, such as “the option to be automatically notified when they appear in photos or videos posted by others.”

Still, the company said then, it would continue to use facial recognition in some instances, such as when users have been locked out of their accounts. “There are many concerns about the place of facial recognition technology in society, and regulators are still in the process of providing a clear set of rules governing its use,” it said. “Amid this ongoing uncertainty, we believe that limiting the use of facial recognition to a narrow set of use cases is appropriate.”

Global Privacy and Cybersecurity Law Updates and Analysis

On July 30, 2021, the UK High Court handed down its judgment in the case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), determining that the claimant could not seek damages on the basis of misuse of personal information, breach of confidence or common law negligence following a data breach.

In 2018, DSG Retail Limited (“DSG”) experienced a cyber attack in which hackers infiltrated DSG’s systems and installed malware that ran on point of sale terminals in DSG stores. As a result of the breach, DSG was fined £500,000 by the UK Information Commissioner’s Office for violating the seventh data protection principle (“DPP7”) under the Data Protection Act 1998 (“DPA”) (i.e., the requirement to implement appropriate security measures). That fine is under appeal.

In the case at hand, the claimant, Darren Lee Warren, brought a claim for damages against DSG, based on distress suffered as a result of the breach of his personal data, which included his name, address, phone number, date of birth and email address. In his claim, Warren relied on theories of breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the DPA and common law negligence.

DSG sought to have the BoC, MPI and common law negligence claims dismissed on the basis that they had no realistic prospect of success. DSG challenged the BoC and MPI claims, contending that neither could stem from a failure to keep data secure because both causes of action require a positive wrongful act on the part of the defendant (whereas, in this case, the breach resulted from an external attack). With respect to the negligence claim, DSG argued that, where duties under the DPA apply, the same action cannot be brought in negligence. In addition, DSG argued that negligence required pleading of a recoverable loss, which was not present in this instance.

While the claimant conceded that the BoC claim was untenable, he argued the validity of the MPI claim, stating that he had provided DSG his data with the reasonable expectation it would remain private and that DSG’s failure to protect that data through basic security measures was tantamount to publication of the data. On the negligence claim, the claimant argued that, although the duty of care under negligence “informs” the judicial approach under DPP7, the two duties are separate and the claim under the DPA therefore did not preclude a negligence claim.

The judge disagreed, stating that neither BoC nor MPI imposed a data security duty on the holders of information but instead prohibit actions by the holder that are inconsistent with the obligations of confidence and privacy. The argument that DSG’s failures constituted a positive action was rejected, with the judge describing it as an “unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.” With respect to negligence, the judge relied on Court of Appeal precedent in holding that there was no common law duty of care, due to the already applicable statutory duty under the DPA. Further, the judge determined that “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action,” but the DPA, on the other hand, allows compensation for distress resulting from a controller’s breach of DPP7; therefore, the claimant had failed to allege any relevant loss under a negligence action.

Ultimately, the judge dismissed the BoC, MPI and negligence claims , while the claim based on breach of DPP7 has been stayed pending a final determination of DSG’s appeal against the ICO fine.

The Situation: On August 3, 2018, Ohio Governor John Kasich signed Senate Bill 220, the Ohio Data Protection Act (“Ohio DPA”), which provides a safe harbor against data breach lawsuits for businesses that implement and maintain cybersecurity programs that meet certain industry-recognized standards.

The Result: The Ohio DPA provides businesses with an incentive to implement and maintain an effective cybersecurity program, in contrast to other states that have taken a more punitive approach to cybersecurity, such as California’s recently passed Consumer Privacy Act that imposes new obligations and potential liabilities on California businesses.

Looking Ahead: The Ohio DPA goes into effect on November 2, 2018.

The Ohio DPA incentivizes businesses to implement and maintain an effective cybersecurity program by providing an affirmative defense to certain tort actions related to data breaches. The law does not require businesses to comply with the Ohio DPA. Rather, a business that can demonstrate its cybersecurity program meets certain enumerated standards is eligible for the defense to liability for the breach.

Recognizing that different businesses have different needs and resources when it comes to cybersecurity, the Ohio DPA takes into account individualized factors to determine the adequate scale and scope of a business’s program under the law. A business has the flexibility to choose from different cybersecurity frameworks as the foundation for a program (as discussed below), allowing a business to tailor its program based on a company’s particular industry and circumstances.

Notably, the Ohio DPA is the first law of its kind in the United States and is the first piece of legislation from Ohio Attorney General Mike DeWine’s CyberOhio Initiative. While other states require businesses to meet certain cybersecurity compliance standards or punish businesses that suffer a data breach, no other state provides an affirmative defense as an incentive to adopting industry-standard cybersecurity practices like Ohio’s new DPA.

The Ohio DPA provides two incentives for businesses: (i) the DPA provides the opportunity for businesses to evaluate and improve their current program, which, as a result, lessens the likelihood of a data breach; and (ii) if such a breach still occurs, the DPA provides a safe-harbor defense against tort claims asserting that the business has inadequate data security measures.

In deciding whether to take advantage of the Ohio DPA’s safe-harbor provision, businesses should take into account the ever-increasing number of high-profile data breaches, which often result in substantial monetary and reputational damage.

Cybersecurity Program

  • To take advantage of the safe harbor provision under the Ohio DPA, a business must implement a cybersecurity program that is designed to:
  • Protect the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of personal information; and
  • Protect against unauthorized access to the acquisition of personal information that is likely to result in a material risk of identity theft or other fraud for the associated individuals.

Scale and Scope of the Business are Important Factors Under the Ohio DPA

The Ohio DPA recognizes that there is no “one size fits all” approach to cybersecurity. Thus, the scale and scope of an effective program under the law takes into account:

  • The size and complexity of the business;
  • The nature and scope of the activities of the business;
  • The sensitivity of the information to be protected;
  • The cost and availability of tools to improve information security and reduce vulnerabilities; and
  • The resources available to the business.

The Ohio DPA reflects the reality that, for example, a local hardware store with six employees should not be expected to maintain the same kind of cybersecurity program as a bank with hundreds of employees and troves of sensitive customer data.

Applicable Cybersecurity Frameworks Under the Ohio DPA

The Ohio DPA seeks to provide companies both certainty and flexibility by establishing an affirmative defense for a business that “reasonably conforms” to one of six industry-recognized cybersecurity frameworks, alone or in combination with the Payment Card Industry Data Security Standard, or PCI DSS:

  • National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework;
  • NIST Special Publication 800-171;
  • NIST Special Publications 800-53 and 800-53a;
  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
  • The Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
  • The International Organization for Standardization/International Electrotechnical Commission 27000 Family—Information Security Management Systems.

Businesses regulated by state and/or federal governments must “reasonably conform” to one of the following cybersecurity frameworks, if applicable to that particular business:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule;
  • Title V of the Gramm-Leach-Bliley Act of 1999;
  • The Federal Information Security Modernization Act of 2014 (FISMA); or
  • The Health Information Technology for Economic and Clinical Health Act (HITECH).

These frameworks are designed to apply to a wide variety of businesses, from the health care industry to the financial sector. Individual businesses are free to choose which framework is most applicable to their operations.

Getting an education isn’t just about books and grades – we’re also learning how to participate fully in the life of this nation. (Because the future’s up to us!)

But in order to really participate, we need to know our rights – otherwise we may lose them. The highest law in our land is the U.S. Constitution, which has some amendments, known as the Bill of Rights. The Bill of Rights guarantees that the government can never deprive people in the U.S. of certain fundamental rights including the right to freedom of religion and to free speech and the due process of law. Many federal and state laws give us additional rights, too.

The Bill of Rights applies to young people as well as adults. And what I’m going to do right here is tell you about THE RIGHT TO PRIVACY.

WHAT IS THE RIGHT TO PRIVACY?

The right to privacy is not mentioned in the Constitution, but the Supreme Court has said that several of the amendments create this right. One of the amendments is the Fourth Amendment, which stops the police and other government agents from searching us or our property without “probable cause” to believe that we have committed a crime. Other amendments protect our freedom to make certain decisions about our bodies and our private lives without interference from the government – which includes the public schools.

WHAT ARE MY RIGHTS CONCERNING THE POLICE?

You’ve all heard cops on TV or in the movies say, “you have the right to remain silent. ” Well, that’s exactly what you should do if the police ask you questions. Remember anything you say can be used against you.

Just give the police your name and address and say you want to speak to your parents and a lawyer. As soon as you do that, the police must stop questioning you.

The police aren’t allowed to search you unless they have a warrant signed by a judge or unless they are arresting you. However, if they believe that you have a weapon, they can frisk you, and if they feel a weapon, they can then search you. If the cops ask to search you or your car, don’t resist the search, but let them know that you don’t consent to it.

DO I HAVE A RIGHT TO PRIVACY WHEN I’M IN SCHOOL?

Yes and no. Since public schools are run by the government, they must obey the Constitution. However, you do have fewer privacy rights in school than outside of school. Some of the so-called solutions to problems like drugs and violence – such as searching us or planting undercover cops in the hallways to spy on us – can abuse students’ rights. It’s like, hey guys, this is school, not prison!

WHAT SHOULD I DO IF A TEACHER WANTS TO QUESTION OR SEARCH ME?

You have the right to remain silent if you’re questioned by a school official. Usually there is no problem with answering a few questions to clear something up. But if you think that a teacher suspects you of having committed a crime, don’t explain, don’t lie and don’t confess, because anything you say could be used against you. Ask to see your parents or a lawyer.

The Supreme Court ruled in 1985 in New Jersey v. T.L.O. that school officials, unlike police, may search students without a warrant when they have “reasonable grounds for suspecting that the search will turn up evidence that the student has violated. either the law or rules of the school.” But school officials may not search you unless they have a good reason to believe that you in particular — not just “someone” — broke a law or a school rule. So, if a teacher thinks she saw you selling drugs to another student, she can ask you to empty your pockets and can search your backpack. But just because they think some students have drugs doesn’t give them the authority to search all students.

And no matter what, the search must be conducted in a “reasonable” way, based on your age and what they’re looking for. Strip searching is illegal in many states, and where it is allowed, there has to be a solid reason to suspect a particular student of having committed a really serious crime.

In some states, courts have ruled that a student’s locker is school property, so the school can search it. But in other states, school officials must have “reasonable suspicion” that you are hiding something illegal before they can search your locker. Your local ACLU can fill you in on your state laws. But here’s a word to the wise: don’t keep anything in your locker that you wouldn’t want other people to see.

WHAT’S THE DEAL WITH DRUG TESTS OR ALCOHOL TESTS?

A drug or alcohol test is a search, but whether the officials in your school have to have “reasonable suspicion” that you’re a user before they can make you take a test depends on what state you live in.

A Supreme Court decision in 1995 in a case called Vernonia v. Acton said that student athletes can be tested for drugs because athletic programs are voluntary, and student athletes are role models. Students all over the country are protesting random testing programs, where officials test a few individuals or force a whole class to be tested just because they suspect that “someone” is doing drugs. Check with your local ACLU to know what the deal is in your state.

WHAT ABOUT METAL DETECTORS?

They’re allowed in many states because the courts have ruled that a metal detector is less of an invasion of privacy than frisks or other kinds of searches. Nevertheless, some states have guidelines to protect students’ rights. California, for example, allows metal detectors in its schools, but it says they can’t be used selectively just on certain students – that’s discrimination.

WHAT ABOUT THE PRIVACY OF MY BODY?

What you do or don’t do with your body is your personal business. If you need to have a pregnancy test, or if you’re pregnant, you should go to the family planning clinic nearest you. Your local ACLU can help you find one. Some schools provide birth control supplies; find out if yours does. If you go to the doctor, find out what the doctor’s policy is on telling your parents.

It’s your constitutional right to have an abortion. You don’t even have to tell your boyfriend about it if you don’t want to. However, some states require women under the age of 18 to get their parents’ permission, or at least tell them about the abortion. But if you can’t tell your parents, you have a right to go to court and ask the judge to drop the parental notification requirement in your particular case.

Reproductive rights is a very serious issue, and groups like the ACLU are working hard to make sure no woman or girl loses her rights to a safe and legal abortion if she decides to have one.

WHO HAS TO KNOW IF I HAVE AN HIV TEST?

Some states require your parents be notified before you get tested or get treatment. Ask your local ACLU about the laws in your state concerning HIV testing of minors, and where you can get tested anonymously. One last thing: your school or employer doesn’t have the right to force you to be tested for HIV. You totally have the right to refuse to take an HIV test.

“(The right to privacy is a person’s) right to be left alone by the government. the right most valued by civilized men.”
– Former Supreme Court Justice Louis Brandeis

We spend a big part of our life in school, so let’s make a difference. Join the student government! Attend school meetings! Petition your school administration! Talk about your rights with your friends! Get involved!

Data risks are not just for big businesses. Virtually all companies are at risk — including yours.

When you hear about data breaches, it’s likely that you think of tech companies or a hack at a major retailer that you read about in the headlines. But the fact is, it’s not the sort of thing that only happens to tech companies or larger businesses or organizations. In fact, according to a report from the U.S. Department of Homeland Security, manufacturing is the industry with the second highest number of reported cyberattacks.

Want to understand your risk? Ask yourself:

  • Do you store, own or have access to data?
  • What kind of data is it?
  • How many data records do you have?

The impact of a data breach incident can be extraordinarily costly for businesses without the right protection:

  • $8.19 million – average total cost of a data breach (U.S. average)
  • $1.42 million – average cost of lost business due to a data breach
  • 25,575 records – average size of a breach
  • $242 – cost per lost record
  • 245 days – time to identify and contain a breach

What type of data is at risk?

A data breach is an incident in which unauthorized individuals gain access to sensitive, protected, or confidential data. Data breaches may involve a wide range of information, but the data in question often falls into one of two categories:

  • Personal information − such as names, emails, date of birth, street addresses, social security numbers, or phone numbers.
  • Financial information − data from business transactions including credit card or bank account information.
  • If you store these types of data or transact business electronically, you are at risk.

What can happen?

Think about a manufacturing company, professional service firm, retail store or wholesaler. All of these businesses have one thing in common — they have employees’ and customers’ personal and financial files that could be exposed.

What if.

  • An employee loses a laptop with sensitive information?
  • A rogue employee steals information?
  • Sensitive information is improperly discarded?
  • A credit card system is compromised?
  • A firewall fails and hackers access sensitive information?

All of these could happen to any business at any time. Would yours be prepared?

Being proactive is key

“Data is one of the most valuable assets your company has — and one of the most vulnerable. Increasingly, hackers and malicious threats are targeting smaller businesses because they think they aren’t paying attention. It is crucial to have plans in place to keep your data safe at every touch point, protect your systems, monitor for intrusions and be ready to mitigate a breach.”

— Eric Cernak, vice president of cyber practice at The Hanover

Tailored cyber protection

Cyber coverage offers protection from threats posed by cyberattacks and data breaches — including losses to a company’s finances, reputation and operational capabilities.

Data breach coverage

This coverage helps protect your business from the direct costs faced when a data breach occurs, such as notification, credit monitoring, cyber investigation and public relations expenses. Coverage highlights include:

  • Data breach expense coverage for:
    • Notification, forensic analysis and credit monitoring services expenses
    • Breach restoration for costs of labor to re-create or copy lost or stolen data
    • Cyber business interruption and extra expenses incurred due to a breach
  • Additional expense coverage for:
    • Legal services, public relations and third-party data breach
    • Data breach reward to pay informants who provide information leading to the capture and conviction of a “hacker”
    • Data breach investigation expenses resulting from a regulatory investigation
    • Cyber theft for loss from transferring, paying or delivering funds due to fraudulent input of data in your system
  • Data breach services, including fraud alert, help line, identity restoration and consulting services

Cyber liability coverage

This protection covers costs that stem from a lawsuit against a business, alleging financial damage as a result of a data breach. These lawsuits may be the result of identity theft or compromised financial information that results in loss for customers.

Coverage highlights include:

  • Privacy and security liability for third-party claims arising out of a privacy breach or security breach, including loss or theft of private personal data or failure of your client’s system
  • Cyber media liability addresses third-party claims arising out of an electronic media breach such as infringement, trademark, plagiarism, invasion of privacy, defamation, libel and slander resulting from cyber content

Cyber privacy and security coverage

This coverage combines protection for expenses that businesses pay in an effort to manage the fallout from a data breach with coverage for costs that stem from a lawsuit against a business. Coverage is offered as part of a convenient suite of management liability products for seamless protection.

Consumers routinely entrust businesses with personal information, including their names and addresses, financial account numbers, medical information, and other information commonly deemed “private.” Our legal system only has a few laws and enforcement mechanisms to protect consumers from data breaches that could leave them vulnerable to identity theft and other illegal schemes. Courts have also offered only cursory recognition of a general right to privacy. Most laws dealing with the privacy of consumers’ personal information fall into two categories: laws that prohibit accessing computer systems without authorization, and laws that protect specific types of information.

Data Breaches

The term “data breach” refers to any release of private, confidential, sensitive, or proprietary information into an unsecured or untrusted environment. The information could be released onto another computer or computer network, or directly onto the internet where anyone could access it. The release could be a deliberate or accidental act by someone with responsibility for the security of the information, or the result of an unauthorized intrusion into a secured computer network. Recent data breaches include the breach of the retail company Target, which resulted in the theft of millions of customers’ credit card information, and the breach of Apple’s iCloud data storage system, which was followed by the release of the private photos of numerous (mostly female) celebrities.

Data Breach Laws

Laws like the federal Computer Fraud and Abuse Act (CFAA) prohibit unauthorized access of computer systems. The statute originally only applied to computer systems used by the government or financial institutions, but the internet has made its coverage of any computer “used in a manner that affects interstate or foreign commerce” apply to almost any computer, smartphone, or tablet in use today. See United States v. Kramer, 631 F.3d 900 (8th Cir. 2011).

Liability for Data Breaches

Most statutes addressing data security deal with data breaches as something similar to trespass, focusing on the act of intruding on a computer or network without authorization. Consumers may also be able to assert civil claims against the network, not the person who committed the breach, if their personal information is exposed. Sony Corporation, for example, settled claims in the summer of 2014 arising from a 2011 data breach that exposed the personal data of about 77 million PlayStation Network users. Target faces multiple class action lawsuits over its 2013 data breach.

Right to Privacy

The U.S. Supreme Court ruled that the U.S. Constitution protects an individual right to privacy in Griswold v. Connecticut, 381 U.S. 479 (1965). The question of exactly how that ruling on “marital privacy” extends to digital and online privacy rights, however, remains unanswered. California is the only state whose constitution expressly recognizes an individual right to privacy.

Privacy Legislation

Federal laws that address privacy generally focus on specific types of information, or specific custodians of information:

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 regulates medical providers, health insurance providers, and other affiliated entities that routinely handle “protected health information”;
  • The Fair Credit Reporting Act (FCRA) regulates the collection and distribution of consumer credit information, particularly by the major credit reporting agencies; and
  • The Electronic Communications Privacy Act (ECPA) of 1986 restricts wiretaps and other forms of electronic monitoring.

California’s Online Privacy Protection Act (OPPA) regulates commercial websites that collect “personally identifiable information” from users, including disclosure requirements and the consumers’ rights to review and modify their information.

May 2018 saw the introduction of The General Data Protection Regulation (GDPR), and the Data Protection Act 2018. This gave individuals more control over personal data and what data can be held by organisations.

What is a breach?

A data breach is when personal data is lost, destroyed, accessed or disclosed in an unauthorized way whether that’s by accident or deliberately by someone inside or outside the organisation.
Breaches can happen as a result of inadequate business practice, human error or cybercrime. All of which means that our personal and sensitive date is not as safe as it should be.

What is the impact?

Sadly breaches are common, and the consequences can be significant.
A data breach can result in both financial loss and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can steal your identity, set up fraudulent bank accounts and access your existing accounts.
Many victims also suffer from stress, anxiety and distress.

Can you get compensation for breach of data protection?

If you believe your personal data has been lost or misused and you have suffered loss or distress, you may be able to claim for compensation.
However, data breach cases are not straightforward and it is recommended that you use a solicitor who specialises in this area of law.
The Information Commissioner’s Office (ICO), the UK’s data protection regulator can investigate the incident. They have the power to impose a fine, but the ICO does not award compensation to the victim. To be awarded compensation you will need to make a civil claim against the organisation who breached your data.

How much you will get in compensation?

The level of damages will depend on the type of data breached and how this has affected you both financially and mentally.
We can discuss the nature and extent of your individual case and give advice on the likely value of your claim, before you decide whether you want to go ahead with a claim.

Next steps.

If your data or privacy rights have been infringed you can bring a claim, either individually or as part of a group action.

Each case is different and Ashfords’ specialist lawyers can give you advice on the best option for you based on your individual situation.

We can also take steps to minimise the impact of the breach.

Please take a look at our FAQ section below as well as our articles on the subject.

If you think you have been adversely affected by a data breach you can contact our specialist team headed by Christopher Francis also call our Claims Hotline on 01392 334010.

In recent years, the spotlight has been shone on businesses which hold the personal data of individuals.

10 August 2021. Published by Alex Vakil, Partner and Ridvan Canbilen, Associate

Darren Lee Warren v DSG Retail Limited [2021] EWHC 2168 (QB)

The number of claims issued in the High Court (Media and Communications List) with a data protection element continues to increase. The rise in claim numbers can be attributed to a number of factors including: (i) individuals becoming more aware of their rights under data protection legislation, (ii) uncertainty as to whether individuals may recover damages for a loss of control of their personal data without proving material damage or distress; (iii) the abundance of specialist law firms who are prepared to act for individuals on a “no-win-no-fee” basis and (iv) the availability of After the Event (“ATE”) insurance to protect a would-be claimant against adverse costs orders.

It is the last of these factors that has arguably proved to be the element that has most contributed to this increase in claims. Claims for breach of data protection legislation are not “publication and privacy proceedings” under the Legal Aid, Sentencing and Punishment of Offenders Act 2012 (“LASPO”). As such, claimants are not entitled to recover ATE premiums from defendants in claims for breach of data protection legislation alone. However, to counter this, a common tactic of claimants has been to assert claims in misuse of private information and breach of confidence alongside claims for breach of data protection legislation, in an attempt to bring the claims within the exemption provided by LASPO, and which would in theory permit the recovery of ATE insurance premiums from defendants in the event of a successful claim.

The recent judgment in Darren Lee Warren v DSG Retail Limited provides much needed clarity in relation to the availability of causes of action that are commonly asserted by claimants in pre-action correspondence alongside claims for breach of data protection legislation. It is likely to have a significant impact on the future recoverability of ATE premiums.

What is the case about?

The Defendant, DSG, operates the well-known ‘Currys PC World’ and ‘Dixons Travel’ brands. Between July 2017 and April 2018, attackers infiltrated DSG’s systems and installed malware and thereby accessed the personal data of many of DSG’s customers.

The Claimant had purchased goods from a store operated by the DSG and brought a claim alleging that his name, address, phone number, date of birth and email address had been compromised.

What causes of action were advanced?

The Claimant brought a claim for breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the Data Protection Act 1998 (“DPA”), and common law negligence. The claim form sought damages of £5,000 in respect of distress.

The Defendant applied for summary judgment and/or an order striking out all causes of action save for the claim relating to the breach of the DPA.

What did the judge decide?

Mr Justice Saini struck out the Claimant’s claims in MPI, BoC and common law negligence. We focus on MPI and BoC in this article.

Saini J noted that the Claimant’s claims were all based on the cyber-attack and recognised that the Claimant sought to position the actionable wrong as a ‘failure’ which allowed the attacker to access the personal data, rather than any positive conduct/action on behalf of the Defendant.

The judge characterised the Claimant’s contention that the Defendant failed to protect the data as an attempt at articulating some form of data security duty. The judge clarified that neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential) and that instead, both MPI and BoC are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence / privacy.

In respect of BoC, the Saini J drew on caselaw indicating “a negative obligation not to disclose confidential information” and a requirement for “an unauthorised use” of information to establish the tort.

Saini J also characterised MPI as a tort that was developed out of BoC in order to comply with obligations under the Human Rights Act 1998 and cross-referred to the ECHR and the requirement for / to avoid an ‘interference’ with the Claimant’s Article 8 rights.

Crucially, the judge was not convinced by the novel argument advanced by the Claimant that the conduct of DSG was “tantamount to publication”. He described it as an “unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI“.

Will this judgment stem the tide of data claims?

The availability of no-win-no-fee agreements together with ATE insurance protection gives an individual whose personal data has been compromised the potential to claim compensation from a data controller arising from, for example, an accidental data breach.

When asserting claims against data controllers for breach of data protection legislation, it has been a common tactic for claimants to also include claims for MPI and/or BoC, in an attempt to take advantage of the exemptions in LASPO for ‘publication and privacy proceedings’, in theory enabling claimants to recover ATE insurance premiums from defendants in the event of being successful at trial.

Typically in such matters, the ATE premium is considerable when compared to the damages sought, which will often even on the Claimant’s own case be relatively low. The prospects of recovery of the premium as legal costs from a data controller will have a significant impact on the decision as to whether to proceed with such claims in circumstances where the damages realistically recoverable are likely to be less than the ATE premium.

Whilst the judgment may not be enough to discourage claimants from asserting claims for MPI and BoC alongside data protection claims, the threat of these claims being struck out (with the prospect of adverse costs orders being made) may make the obtaining of ATE insurance harder to come by or disproportionately expensive. If claimants are unable to obtain reasonably priced ATE insurance premiums, there may be an increased reluctance to issue proceedings given the potential costs risk an individual may be exposed to. This may in the round lead to fewer claims being issued.

It remains to be seen whether there will be a noticeable drop off in claims as result of this judgment although it is likely that this judgment will embolden data controllers to be more robust in their defence of such claims and refuse, for example, to include the costs of ATE insurance premiums as part of any pre-action settlement.

Another important issue for data controllers at present remains whether a data subject may recover damages for a loss of control of personal data without proving material damages or distress. This issue will be resolved in the Supreme Court case of Lloyd v Google in which judgment is expected later this year. RPC supported techUK as an intervening party in the submitting a written intervention in the case.

How can RPC help?

RPC act for a number of data controllers and their insurers, in all aspects of data breach response and in defending data subject claims. For any queries please reach out to a member of the team listed above.

Global Climate Agreements: Successes and Failures

Backgrounder by Lindsay Maizland November 17, 2021 Renewing America

  • Defense & Security
  • Diplomacy & International Institutions
  • Economics
  • Energy & Environment
  • Health
  • Human Rights
  • Politics & Government
  • Social Issues

Myanmar’s Troubled History

Backgrounder by Lindsay Maizland January 31, 2022

  • Americas
  • Asia
  • Europe & Eurasia
  • Global Commons
  • Middle East & North Africa
  • Oceania
  • Sub-Saharan Africa

A Guide to Global COVID-19 Vaccine Efforts

Backgrounder by Claire Felter April 1, 2022

  • Backgrounders
  • In Briefs
  • Podcasts
  • Videos
  • Timelines
  • Special Projects
  • InfoGuides

Reflecting Sunlight to Reduce Climate Risk

  • Experts
  • Centers & Programs
  • Books & Reports
  • Blogs
  • Independent Task Force Program
  • Fellowships

Higher Education Webinar: Diversity, Equity, and Inclusion in College and University Admissions

Webinar with Natasha Warikoo March 2, 2022 Academic and Higher Education Webinars

It’s hard to go a few days of scanning the news without hearing about a major data breach, potentially exposing millions of customers’ personal data to criminals. Here are a few tips to ensure your personal information doesn’t end up in the wrong hands.

Create strong passwords

When creating a password, think beyond words or numbers that a cybercriminal could easily figure out, like your birthday. Choose combinations of lower and upper-case letters, numbers, and symbols and change them periodically. It’s also better to create a unique password instead of using the same password across multiple sites—a password manager tool can help you keep track.

Don’t overshare on social media

We all have that one friend who posts too many intimate details of their life online. Not only can this be annoying, but it can also put your personal information at risk. Check your privacy settings so you are aware of who’s seeing your posts, and be cautious when posting your location, hometown, birthday, or other personal details.

Use free Wi-Fi with caution

A little online shopping never hurt anyone…or did it? Most free public Wi-Fi networks have very few security measures in place, which means others using the same network could easily access your activity. You should wait until you’re at home or on a secure, password-protected network before whipping out that credit card.

Watch out for links and attachments

Cybercriminals are sneaky, and will often compose their phishing scams to look like legitimate communications from a bank, utility company, or other corporate entity. Certain things like spelling errors or a different email address than the typical sender can be a clue that the email is spam.

Check to see if the site is secure

Before entering personal information into a website, take a look at the top of your browser. If there is a lock symbol and the URL begins with “https,” that means the site is secure. There are a few other ways to determine if the site is trustworthy, such as a website privacy policy, contact information, or a “verified secure” seal.

Consider additional protection

Install anti-virus software, anti-spyware software, and a firewall. For additional protection, you may want to consider cyber insurance, which can keep you and your family safe if you fall victim to a cyberattack. At Chubb, our experts are ready to evaluate your cyber vulnerabilities, help cover fraudulent charges, and ensure your family has the resources you need to recover emotionally, too.

Our cyber coverage will help insure your online world, even when you’re offline.

Find an Agent

Speak to an independent agent about your insurance needs.

Tips & Resources

We help you stay ahead and informed with these helpful tips and tricks

Where was the last public place you visited that had Wi-Fi? These days, nearly every coffee shop, library, airport and hotel offer a way to

Cyber criminals know that, with more people online, there are more ways to take advantage of vulnerabilities to gain access to protected and personal information.

This version is current as of May 5, 2022 .
It has been in effect since October 9, 2008 .

Note: Earlier consolidated versions are not available online.

The Privacy Act

HER MAJESTY, by and with the advice and consent of the Legislative Assembly of Manitoba, enacts as follows:

“common-law partner” of a person means a person who, not being married to the other person, is cohabiting with him or her in a conjugal relationship of some permanence; (« conjoint de fait »)

“court” means the Court of Queen’s Bench except in section 5 where it means any court and includes a person authorized by law to take evidence under oath acting for the purposes for which he is authorized to take evidence; (« tribunal »)

“defamation” means libel or slander; (« diffamation »)

“family” means the spouse, common-law partner, child, step-child, parent, step-parent, brother, sister, half-brother, half-sister, step-brother, step-sister, of a person. (« famille »)

Registered common-law relationship

For the purposes of this Act, while they are cohabiting, persons who have registered their common-law relationship under section 13.1 of The Vital Statistics Act are deemed to be cohabiting in a conjugal relationship of some permanence.

Violation of privacy

A person who substantially, unreasonably, and without claim of right, violates the privacy of another person, commits a tort against that other person.

Action without proof of damage

An action for violation of privacy may be brought without proof of damage.

Examples of violation of privacy

Without limiting the generality of section 2, privacy of a person may be violated

(a) by surveillance, auditory or visual, whether or not accomplished by trespass, of that person, his home or other place of residence, or of any vehicle, by any means including eavesdropping, watching, spying, besetting or following;

(b) by the listening to or recording of a conversation in which that person participates, or messages to or from that person, passing along, over or through any telephone lines, otherwise than as a lawful party thereto or under lawful authority conferred to that end;

(c) by the unauthorized use of the name or likeness or voice of that person for the purposes of advertising or promoting the sale of, or any other trading in, any property or services, or for any other purposes of gain to the user if, in the course of the use, that person is identified or identifiable and the user intended to exploit the name or likeness or voice of that person; or

(d) by the use of his letters, diaries and other personal documents without his consent or without the consent of any other person who is in possession of them with his consent.

In any action for violation of privacy the court may

(a) award damages;

(b) grant an injunction if it appears just and reasonable;

(c) order the defendant to account to the plaintiff for any profits that have accrued, or that may subsequently accrue, to the defendant by reason or in consequence of the violation; and

(d) order the defendant to deliver up to the plaintiff all articles or documents that have come into his possession by reason or in consequence of the violation.

Considerations in awarding damages

In awarding damages in an action for a violation of privacy of a person, the court shall have regard to all the circumstances of the case including

(a) the nature, incidence and occasion of the act, conduct or publication constituting the violation of privacy of that person;

(b) the effect of the violation of privacy on the health, welfare, social, business or financial position of that person or his family;

(c) any relationship, whether domestic or otherwise, between the parties to the action;

(d) any distress, annoyance or embarrassment suffered by that person or his family arising from the violation of privacy; and

(e) the conduct of that person and the defendant, both before and after the commission of the violation of privacy, including any apology or offer of amends made by the defendant.

Accounting not considered in awarding damages

Notwithstanding anything in subsection (2), in awarding damages in an action for violation of privacy of a person, the court shall not have regard to any order made under clause (1)(c) in respect of the violation of privacy.

In an action for violation of privacy of a person, it is a defence for the defendant to show

(a) that the person expressly or by implication consented to the act, conduct or publication constituting the violation; or

(b) that the defendant, having acted reasonably in that regard, neither knew or should reasonably have known that the act, conduct or publication constituting the violation would have violated the privacy of any person; or

(c) that the act, conduct or publication in issue was reasonable, necessary for, and incidental to, the exercise or protection of a lawful right of defence of person, property, or other interest of the defendant or any other person by whom the defendant was instructed or for whose benefit the defendant committed the act, conduct or publication constituting the violation; or

(d) that the defendant acted under authority conferred upon him by a law in force in the province or by a court or any process of a court; or

(e) where the act, conduct or publication constituting the violation was

(i) that of a peace officer acting in the course of his duties; or

(ii) that of a public officer engaged in an investigation in the course of his duty under a law in force in the province;

that it was neither disproportionate to the gravity of the matter subject to investigation nor committed in the course of a trespass; and was within the scope of his duties or within the scope of the investigation, as the case may be, and was reasonably necessary in the public interest;

(f) where the alleged violation was constituted by the publication of any matter

(i) that there were reasonable grounds for the belief that the publication was in the public interest; or

(ii) that the publication was, in accordance with the rules of law in force in the province relating to defamation, privileged; or

(iii) that the matter was fair comment on a matter of public interest.

Right of action in addition to other rights

The right of action for violation of privacy under this Act and the remedies under this Act are in addition to, and not in derogation of, any other right of action or other remedy available otherwise than under this Act; but this section shall not be construed as requiring any damages awarded in an action for violation of privacy to be disregarded in assessing damages in any other proceedings arising out of the same act, conduct or publication constituting the violation of privacy.

Effect on law of evidence

No evidence obtained by virtue or in consequence of a violation of privacy in respect of which an action may be brought under this Act is admissible in any civil proceedings.

Application of Act

Notwithstanding any other Act of the Legislature, whether special or general, this Act applies where there is any violation of the privacy of any person.

Conflict with other Acts

Where there is a conflict between a provision of this Act and a provision of any other Act of the Legislature, whether special or general, the provision of this Act prevails.

Out-Law Analysis | 03 Aug 2021 | 2:28 pm | 3 min. read

Many of the growing number of data protection-related claims being filed against businesses to have fallen victim to cyber attacks are being brought not just under data protection legislation but also in the alternative as claims for breach of confidence or misuse of private information.

A recent ruling should give businesses confidence that they can successfully apply to have those additional causes of action struck out. The case also has wider ramifications in relation to the recoverability of “after the event” (ATE) adverse costs insurance premiums and may therefore affect commercial viability of such claims for claimants.

Some context

Since the Jackson reforms of civil court costs, successful claimants’ ability to recover their lawyers’ success fees and ATE premiums has been significantly curtailed by measures aimed at curbing what was perceived to be a growing litigation culture. One exception to this broad reform was made for the purposes of “publication and privacy proceedings”, i.e. claims in defamation, malicious falsehood, misuse of private information, breach of confidence and harassment. Though the scope of this exception was reduced in April 2019 to exclude success fees from being recoverable in publication and privacy proceedings under conditional fee arrangements entered into from that point onwards, the exception otherwise remains in place in relation to the recoverability of ATE premiums in publication and privacy proceedings.

When a claimant raises claims for breach of data protection legislation, these are not considered to be publication and privacy proceedings. It has therefore become common practice for claimants to bring claims in misuse of private information and breach of confidence alongside claims for breach of data protection legislation with a view to recovering an ATE premium if the claim is successful. This has ramifications for the commercial dynamics of such cases where the amount claimed is often small in comparison to the cost of the ATE premium. In addition, claims involving breach of confidence must be commenced in the High Court, which has led to the Media and Communications List at the court becoming heavily populated with these low value claims. One claims management company issued close to 150 such claims in the first half of 2021 alone.

The case

In his claim, Darren Warren is seeking to recover damages for distress caused following a cyber incident. He advanced his claim under various guises, arguing that there had been breach of confidence, misuse of private information, negligence and breach of various provisions of the Data Protection Act 1998 provisions – including the seventh data protection principle under the Act which concerns data security (DPP7). DSG Retail Ltd applied to the court for strike-out of all the claims made other than that under DPP7. Although the case was decided by reference to the 1998 Act, the same points will apply to claims under the current UK GDPR regime.

The ruling

Mr Justice Saini ruled in favour of DSG. The judge struck out Warren’s claims in both breach of confidence and misuse of private information, finding that both causes of action require some form of “positive conduct” by a defendant and that this is lacking in a cyber attack scenario.

In reaching this conclusion, the judge considered case law arising from a 2019 judgment concerning a data breach experienced by Morrisons in which the High Court held that the supermarket could not be directly liable in breach of confidence or misuse of private information where the acts alleged to amount to a breach/misuse were carried out by a third party. In the Morrisons case, the third party was an employee who had gone rogue. By analogy, where third party hackers access, disclose or misuse an individual’s data it is they that are properly liable in breach of confidence and misuse of private information and not the data controller in question. As Mr Justice Saini confirmed, a data security duty does not arise on data controllers under the common law concerning breach of confidence or misuse of private information, and there is no need for the law to be extended in that way given that such a duty already exists under data protection legislation.

Mr Justice Saini also struck out Warren’s claim in negligence, applying the principle established in the case of Smeaton v Equifax in 2013 that there is no need to impose a tortious duty of care on a data controller where a bespoke statutory regime for determining their liability already exists.

The judge’s findings mean that Warren’s claim is now limited to a claim for breach of DPP7 only, Warren having conceded that the other breaches of the DPA 1998 that had been alleged should be withdrawn. The remaining claim will be considered by the County Court but not until after DSG’s appeal against a fine imposed on it by the Information Commissioner’s Office in relation to the incident has been ruled on by the first-tier information rights tribunal.

Implications of the judgment

This decision is a positive development for those defending data breach claims as it means that it will no longer be possible to contend that ATE premiums are recoverable from unsuccessful defendants in such cases. The need to pay an irrecoverable ATE premium – which can be 50% or more of the claimant’s estimated losses in such cases – is likely to mean a substantial reduction in such cases in future.

Co-written by Caroline Henzell of Pinsent Masons.

In the UK, human rights are protected by the Human Rights Act 1998. The Act gives effect to the human rights set out in the European Convention on Human Rights.

Article 8 – the right to respect for your family and private life, your home and your correspondence is one the rights protected by the Human Rights Act.

Read this page to find out more about what this right means under the Human Rights Act.

What are your rights under article 8?

Article 8 protects your right to respect for private and family life, your home and correspondence.

What’s meant by private life?

Private life has a broad meaning. It means you have the right to live your life with privacy and without interference by the state. It covers things like:

  • your sexuality
  • your body
  • personal identity and how you look and dress
  • forming and maintaining relationships with other people
  • how your personal information is held and protected

What’s meant by family life?

Family life includes the right to have and maintain family relationships. It covers your right not to be separated from your family and to maintain contact if your family is split up.

To decide if a relationship is covered by family life what matters is the closeness of the relationship rather than the legal status.

Relationships covered by family life include relationships between:

  • parents and their children, including illegitimate and adopted children
  • husband and wife as well as unmarried couples
  • siblings.

Same sex couples are protected under article 8 but their protection falls under their private life rather than family life.

What’s meant by home?

Your right to respect for your home doesn’t mean you have the right to housing but it protects the home you already have. It means public authorities mustn’t prevent you from entering or living in your home. You also have the right to enjoy your home peacefully without intrusion by a public authority.

A public authority may need to take positive steps so you can peacefully enjoy your home – for example, by reducing air craft noise or protect your home from serious pollution.

What’s meant by correspondence?

Correspondence includes things like:

  • letters
  • emails
  • fax
  • telephone.

Examples of article 8 breaches

Examples of where there could be a breach of article 8 include:

  • searches and surveillance of your home
  • separation of family members including deportation or removal of immigrants
  • care or adoption orders for children and interference with your parental rights
  • compulsory medical treatment or testing
  • if you’re treated badly in a care home – if it’s severe enough this could also be a breach of article 3
  • your right to privacy at home and at work – for example, phone tapping, the monitoring of emails and internet use, CCTV
  • if your personal information is disclosed to other people without your consent
  • the imposition of unreasonable dress codes at work
  • the quality and nature of the accommodation provided by local authorities and some housing associations
  • protection from noise and pollution nuisance.

Example

Your husband is suffering from dementia and needs to live in a care home. Your local authority has offered him a place in a care home which is too far away for you and the rest of the family to visit on a regular basis. You’ve asked for a place nearer to your home, but they’ve refused. This could be a breach of your and your husband’s right to respect for family life under article 8. The local authority should consider your rights to a family life when offering your husband a placement.

You could raise the human rights issue with the local authority or make a formal complaint.

Can a public authority interfere with your article 8 rights?

Article 8 is a qualified right. This means a public authority can sometimes interfere with your right to respect for private and family life if it’s in the interest of the wider community or to protect other people’s rights.

Next steps

  • What rights are protected under the Human Rights Act?
  • When can a public authority interfere with your human rights?
  • Who’s breaching your human rights?
  • Taking action about human rights
  • The Human Rights Act 1998

Other useful information

Equality Advisory Support Service (EASS)

The EASS helpline can provide advice and information on human rights and discrimination issues.

Equality and Human Rights Commission (EHRC)

You can find useful information about discrimination on the EHRC website at

Liberty

For more information and advice on the different rights protected under the Human Rights Act go to Liberty’s website at

British Institute of Human Rights

You can also find more information about human rights in Your human rights guides from the British Institute of Human Rights (BIHR) at

Additional feedback

Help us improve our website

Take 3 minutes to tell us if you found what you needed on our website. Your feedback will help us give millions of people the information they need.

Additional feedback

Take 3 minutes to tell us if you found what you needed on our website. Your feedback will help us give millions of people the information they need.

Feedback

Is there anything wrong with this page? Let us know

Advice

  • Benefits
  • Work
  • Debt and money
  • Consumer
  • Family
  • Housing
  • Law and courts
  • Immigration
  • Health

Resources and tools

  • Adviser resources
  • Education resources
  • Site search
  • A to Z of advice

More from us

  • About us
  • Contact us
  • Support us
  • Annual reports
  • Complaints
  • Media
  • Modern slavery statement
  • Policy research
  • Volunteering
  • Jobs

About this site

  • Accessibility statement
  • Terms and conditions
  • Privacy and cookies

Explore articles from the first issue of Shoosmiths’ ESG report

Bringing you the latest developments on sanctions and the impact of the war in Ukraine – helping you to prepare, manage and protect your business

Read more to find out how our non-legal products are making a difference to our clients.

Join our next IHL webinar as we discuss building high performing in house legal teams through purpose led coaching

Shoosmiths wins Legal Technology Team of the Year at the Legal Business Awards

Shoosmiths recognised as a Top 75 Employer in the Social Mobility Foundation ® Employer Index 2021

We keep it simple.

We hire great people who create fantastic relationships with our clients to help them get the results that they deserve .

Focus

How to defend against privacy violation claims

David Jackson becomes Shoosmiths CEO

On 1 May, long-standing partner David Jackson became Shoosmiths’ CEO.

  • 3 May 2022
  • News

How to defend against privacy violation claims

Key considerations for tendering in the current economic climate

The UK is currently dealing with rises in the cost of living and the impact of world events leading to availability issues and price increases across numerous sectors.

  • 29 April 2022
  • Article

How to defend against privacy violation claims

Incentivising staff in a green economy: green benefits

Environmental, social and governance factors (ESG) alongside sustainability are hot topics in business right now. Employees are increasingly scrutinising what employers are doing to promote sustainability, not least in the benefits they offer.

  • 27 April 2022
  • Article

Explore our full insights library

Find articles, news and events from Shoosmiths around the topics that interest you.

Unfortunately, data breaches have become a common feature of modern life in our always-connected world of online services; everyone in the U.S. is at risk of having their data stolen. However, even if your data is compromised in a data breach, you don’t have to become a victim. There are several steps you can take to contain the damage and keep your personal finances, credit score, and identity safe from criminals.

If you find out that a company you do business with – or an online service that you use – has suffered a data breach, here are a few steps to take right away:

1. Change your passwords

It’s a good idea to keep changing your password on a regular basis, but in the aftermath of a data breach, it’s especially important to change your passwords to something strong, secure, and unique. And you should have multiple “passwords,” not just one. Do not use the same password for all of your online accounts. In general a “strong” password is at least 8 characters with a mixture of letters, numbers, and symbols. Consider using a password manager to help generate and keep track of your passwords.

2. Sign up for two-factor authentication

In addition to changing your passwords, sign up for two-factor authentication (also known as “2FA” or “two-step verification”) wherever possible. This is an added layer of security for your account logins, and many services such as Gmail and Facebook now offer it. With two-factor authentication, your online account will require you to enter an additional level of identification to access your account – such as a code texted to your phone. This means that even if hackers get your email and password, they can’t get into your account without that second factor of identity verification.

3. Check for updates from the company

If your data is involved in a major data breach, the company will likely post ongoing updates and disclosures about which customers were affected. For example, after a recent Facebook data breach, the company automatically logged out the users whose accounts were affected and sent them messages via the platform about what had happened and what to do next. After the Equifax data breach, the Federal Trade Commission (FTC) offered a series of advisories and steps that people could take to protect themselves.

4. Watch your accounts, check your credit reports

After a data breach, it’s essential to be vigilant and pay extra attention to your account activity – that includes your account at the company that suffered the breach, as well as your bank account and other financial accounts. Read your credit card statements and watch for suspicious transactions. Also, sign up for your free annual credit report to check your credit reports from each of the three credit reporting bureaus.

5. Consider identity theft protection services

If you want additional peace of mind, you can consider signing up for identity theft protection services. However, these services are not cheap, and you can do many of the actions yourself. Often when there is a significant data breach, the company involved will give affected customers a free year of credit monitoring.

6. Freeze your credit

Another step you can take, whether you’re affected by a data breach or not, is to freeze your credit. You can do this by contacting each of the three credit bureaus (Equifax, Experian, and TransUnion) and asking to freeze your credit. There is no cost to freeze your credit, and it will prevent any new credit accounts from being opened in your name. Even if identity thieves have access to all of your personal data, they can’t open new accounts under your name if your credit is frozen. The only drawback of freezing your credit is that it prevents you from applying for new credit too – so don’t do it if you are expecting to need a new car loan, home loan, or credit card account. You can un-freeze your credit at any time.

7. Go to IdentityTheft.gov

If you are affected by a data breach, there is a government website that can help you assess the situation and understand your options for what to do next. There are a variety of resources with tips and advice on what to do if your personal information was lost or stolen.

Being affected by a data breach can be alarming, and in the worst-case scenario, it can lead to identity theft and financial complications. But if you know what to expect, and you take a few simple steps to protect yourself and stay vigilant, you can overcome the risks and hassles of a data breach.

  • Email your enquiry
  • Contact details

Breach of confidence explained

Laws relating to breach of confidence are based on the principle that someone who is given information in confidence, or has somehow obtained confidential information, should not take unfair advantage of it. This area of law is often used by individuals, businesses, and governments to protect information that should be kept secret.

Common disputes

Disputes arise on many occasions. For example, they are common in cases relating to:

  • leaks to the media;
  • news organisations reporting on confidential information;
  • people sharing confidential information on social media or websites or with third parties;
  • divorces or other family cases where a spouse accesses or uses their partner’s confidential information and documents in an unlawful manner;
  • former employees transferring confidential information that does not belong to them to their new employer; and
  • trade secrets that are unlawfully used by defendants.

Three elements to a breach of confidence

There are three elements to a breach of confidence claim. These are that:

  1. The information must have the “necessary quality of confidence”;
  2. The information must have been imparted in circumstances imposing an obligation of confidence; and
  3. There must be unauthorised use of that information to the detriment of the person or entity that originally communicated it.

Disclosure and confidentiality

There is no requirement for there to be a direct relationship between the person who wishes to protect the information and the person who wishes to disclose it. All that is needed is that a reasonable person would understand from the nature and circumstances of a disclosure that they were receiving information or material in confidence.

While confidentiality agreements are useful, particularly as evidence, they are not always needed to enforce legal confidentiality rights. The law of confidence in any event safeguards non-trivial ideas or information that is imparted or obtained in confidential circumstances, provided it is not already in the public domain.

The legal remedies to breaches of confidence

Legal remedies include:

  • injunctions to stop information being shared or published, either before or after confidential information has been shared or published
  • court orders for the confidential material to be returned to the claimant or destroyed
  • court orders requiring third parties to reveal the source of their information
  • financial damages.

The losing party at court is also almost always ordered to pay the winning party’s legal costs.

Confidentiality agreements

While we are a litigation-only law firm, as part of this process we draft confidential settlement agreements and non-disclosure agreements, as well as advise upon litigation issues relating to confidentiality clauses in contracts.

The Florida Information Protection Act of 2014 was passed to better protect Floridians’ personal information by ensuring that businesses and government entities take reasonable measures to protect personal information and report data breaches to affected consumers.

Understand Florida’s Information Protection Act.

The bill includes the following protections:

  • Requires proper notice to be provided to consumers within 30 days unless good cause is shown for an additional 15 day delay;
  • Requires proper notice to be provided to the Office of the Attorney General for a breach affecting 500 or more individuals;
  • Expands the definition of personal information to include health insurance, medical information, financial information and online account information, such as security questions and answers, email addresses and passwords;
  • Defines what information must be included in a proper notice;
  • Expands the statute to cover state governmental entities and their instrumentalities;
  • Requires businesses and state government entities to take reasonable measures to protect data;
  • Requires the Office of the Attorney General to provide an annual report to the Legislature regarding data breaches of governmental entities; and
  • Authorizes enforcement actions under Florida’s Unfair and Deceptive Trade Practices Act for any statutory violations.

Protect your personal information.

While there is no guaranteed way for consumers to guard against a data breach, there are steps they can take to lessen the odds of becoming a breach victim. Create strong passwords by using a combination of upper- and lower-case letters, numbers and special characters. Additionally, when asked to choose a security question, choose the question that would be most difficult for someone to guess the answer.

Limit the number of companies that possess personal information.

The chance that a consumer’s personal information could be gained in a data breach increases with the number of firms that have access to their information. Before signing up with a service, weigh the benefits of the service against the amount of personal information that is requested. Always read privacy statements to determine how personal information will be used and whether it will be sold to third parties. Additionally, before sharing personal information such as a Social Security number at the workplace, a business, a school or a doctor’s office, ask why it is needed, how it will be secured and the consequences if not provided.

We have seven pro tips to keep iPhone and Android apps from spilling your data.

Shelby Brown (she/her/hers) is a writer for CNET’s services and software team. She covers tips and tricks for apps and devices, as well as Apple Arcade news.

Each year, digital security becomes more important. Many of us rely on iPhone or Android apps for entertainment, navigation, exercise and social networking, but these apps are notoriously tough to trust . There’s no way to tell at face value if an app is tracking you ( even when you say stop ), and no protection is foolproof in today’s world of ever-evolving technology. An app that behaves well today could turn into a bad actor tomorrow if the company behind the app is sold, changes its direction or winds up compromised because of a flaw. With that in mind, it’s far past time to heighten your protection.

There are ways to find and delete the data Google has saved about you, along with some new privacy settings in Android and iOS to stop apps from tracking you . But there’s more you can do to protect your data privacy and improve your smartphone security. We talked to digital security experts about the data privacy and security steps they wish more people would take when using smartphone apps. Here are their suggestions.

More Tech Tips

  • How to Turn Off Find My iPhone in 4 Quick Steps (and When You Should Do It)
  • Apple AirTags Can Be Used to Track You. Here’s How to Stop That
  • This Privacy-Focused Browser Stops Websites Tracking You Even Better Than Chrome Does

1. Use a password manager

The strongest passwords are random strings of characters. A series of letters, numbers and symbols in no particular order is less likely to be found in the dictionary and harder for a computer to crack with brute force. The downside is that these complex passwords are much harder to remember.

This is where a password manager app comes in handy. Password managers keep all your passwords in one encrypted and password-protected app. They also generate and remember strong passwords . While apps like Google Chrome and Samsung’s proprietary phone app will offer to save passwords for you, security experts always go to the password manager .

It’s also best to avoid using the same password for multiple accounts. If one account is compromised in a data breach, all the accounts are compromised. With a password manager, each one of your accounts can have a different, complex and hard-to-crack password. Some will even generate passwords for you.

We recommend one called Bitwarden , but there are many other password managers to choose from.

2. Use a VPN on public Wi-Fi

If you’re going to get on a public Wi-Fi network while on your phone instead of using your mobile data, experts suggest using a VPN . A virtual private network can keep your data from being snooped on by other people lurking on the same public network. They can also mask your data transmissions, avoid filtering and censorship on the internet and allow you to access a wider variety of content around the world. Here’s everything to know about VPNs .

For our purposes, it can shield you from having to get on a free public network that others can use to gain access to your phone. When looking for a provider, it’s important to research the company to find out if it’s well-known and trustworthy . The Apple App Store and the Google Play Store have dozens of VPN apps that are free , but some have questionable practices, so take care.

Regardless of how frequently you plan to use a VPN, it’s important to read through the service agreement so you know what data might be collected and where it will be stored. See CNET’s guide to the best VPNs .

3. Be mindful of app permissions

One tip that almost all of the experts mentioned was double checking which permissions the app asks for. You should also ask yourself whether it makes sense for an app to ask for certain permissions. An app asking for access to data that isn’t relevant to its function is a major warning sign .

“[If] you’re downloading a simple app for a pocket calculator for instance and the app is requesting access to your contact list and location,” said Stephen Hart, CEO of Cardswitcher. “Why would a calculator need to see your contact list and location? Requests like that should ring some alarm bells.”

Graphic by Pixabay/Illustration by CNET

In addition to paying attention to permissions that you grant to an app, it’s also important to monitor how your phone behaves after you download it. Shlomie Liberow, a technical program manager and security guru at HackerOne, said that drastic changes in your device’s battery life are another red flag, since malicious apps can constantly run in the background.

“If after installing an app, you notice your battery life decreasing faster than usual, that may be a tell-tale sign that the app is up to no good and is likely operating in the background,” Liberow said.

4. Research the app or company

While you can’t tell at face value if an app has sinister motives , a quick Google search can supply more information. The experts suggested searching the name of the app and the phrase “data scandal” or “scam.” Hart said the results should tell you if the company has experienced any recent privacy or data leaks.

“This search should also tell you if data breaches are a common occurrence at that company and, if they have experienced any, how they have responded to them,” Hart said. “If the company has been affected several times and done nothing to address the problem, steer clear of the app — it suggests that they aren’t taking the issue seriously.”

Joe Baker, an IT Systems Administrator at Anderson Technologies, said it’s wise to avoid an app if it’s the only one a developer has produced or if the developer was responsible for any other shady apps.

5. Limit social media exposure

Facebook’s Cambridge Analytica data scandal put the popular social network in hot water. But even people who’ve freed themselves from Facebook’s siren call after the fallout (or never created a profile in the first place) might still be at risk for privacy invasion . If you appear on a friend or family member’s account, you’re still visible online . After those accounts are observed, companies can construct a “shadow profile” that details a person’s likes, dislikes, political leanings, religious beliefs and more.