By Mark Clause. Last Updated 4th August 2022. Welcome to our guide on some common causes of data breaches. This article will look at what a data breach is and how it could be caused.
The Information Commissioner’s Office defines a data breach as, in broad terms, a security incident that affects the integrity, availability or confidentiality of personal data. This includes when personal data is accessed, changed, lost, disclosed or destroyed without authorisation. If this has happened to you, you could be eligible to claim compensation under certain circumstances.
The UK GDPR and Data Protection Act 2018 are legislative documents that work alongside each other to protect your personal data. They include guidelines on how organisations should handle and protect your personal data security.
What Makes A Valid Claim?
To make a valid claim for a data breach, you must start your claim within 1 year for public bodies or within 6 years for non-public bodies. You also must have suffered some form of material or non-material harm. This essentially means financial loss and psychological damage.
You’d also need to show that the organisation’s positive wrongful conduct led to the data breach. For example, if your employer didn’t provide cybersecurity or failed to train staff in data protection where necessary and this led to a personal data breach that caused you mental or financial damage, you could claim.
Keep reading to find out more about the common causes of data breaches. Alternatively, to talk to someone directly about making a claim, get in touch with us using the means below. Our team of advisors can offer free legal advice and may pass you on to a specialist data breach solicitor from our panel if they think your claim has a good chance of success.
Select A Section
- Common Causes Of Data Breaches: Phishing Attacks
- Impersonating A Person Or Organisation
- Unauthorised Accessing Of Personal Data
- Common Causes Of Data Breaches: Hacking And Malware Attacks
- Compensation Examples for Data Protection Breaches in 2022
- Data Breach Solicitors – No Win No Fee Solicitors On Data Breach
The National Cyber Security Centre (NCSC) defines phishing as untargeted mass emails sent to many people encouraging them to visit fake sites or asking for sensitive information. Cybercriminals could trick people into disclosing personal information or installing malware onto personal devices when this happens.
This could be done via pop-up adverts or spam emails that present themselves as being from trusted senders, for example. The email may include some form of attachment or link that clones a legitimate link but actually downloads malware where, if you log in, your information is harvested.
Phishing emails can be sent at random to large numbers of people; however, there is another type called spear phishing that may target specific individuals or organisations.
According to government survey results on cybersecurity in 2021, phishing is the most common type of data breach or attack that organisations have reported having in the 12 months prior to the survey.
How you might be able to identify a phishing email:
- Misspelt domain names
- Bad grammar and/or spelling
- Public email domains
- Suspicious links or attachments
- An unwarranted sense of urgency
What could organisations do to avoid phishing attacks?
- Implement strong cyber security measures
- Train staff to be aware of the consequences of phishing
- Build a positive security culture — don’t punish victims but encourage them to report incidents
- Test the effectiveness of the training with simulated phishing attacks
If a phishing scam steals your personal data, you could be at risk. This may be considered unauthorised access and, therefore, a data breach. This is only one of the common causes of data breaches. To find out more about phishing scams, get in touch today.
Another arguably common cause of data breaches is impersonation. A cybercriminal could pretend to be you in order to gather your personal information from an organisation. For example, someone could call your bank and ask to make a transaction pretending to be you. Alternatively, someone could get in contact with you pretending to be an organisation that you trust.
For this reason, many organisations that handle personal data have security measures, such as questions with answers only you would know. Pins or passwords that you should not share with others may also protect your information.
If someone breaches your data via impersonation, this could potentially cause anxiety, post-traumatic stress disorder (PTSD) or psychological harm of another kind. You could seek compensation for this in a data breach claim.
Another common cause of data breaches is when unauthorised individuals access your personal data. This could be within an organisation or by specific individuals.
For example, many websites now offer ‘cookies’. This is so that your internet experience is more tailored to you and can be used to save personal details, such as log-in information.
However, most cookies should give you options for which parties are allowed to access such data. If your cookie preferences are ignored, and a third party accesses your data without permission, this could be a data breach.
By Members Of Staff
Within an organisation, there should be qualified and trained people to handle and process your data. If another member of staff who is not authorised to access this data does so, this could be a data breach.
This may not always be purposeful. Data breaches can happen by accident and human error, but you can still claim compensation.
For example, if a bank employee accidentally emailed your personal information to the wrong address, an unauthorised person could then have access to your personal information. Even if they don’t do anything with this personal information, it is still a data breach, and you could, therefore, still claim.
By Other People
An individual could also access your personal data without authorisation. For example, if a document or computing device with your personal information on was left out in the wrong place, it could be lost or stolen. If someone steals your data, they may use it against you.
For example, if someone stole your home address, they may visit your home. This could cause stress and mental trauma.
The NCSC defines malware as malicious software which could cause damage in many ways if it is installed and run, including:
- Stealing, encrypting or deleting personal data
- Taking control of devices to attack other organisations
- Locking a device or rendering it unusable
- Obtaining credentials that allow access to you or your organisation’s system
- Using services that may charge you money
- ‘Mining’ cryptocurrency
So what can organisations do to avoid being attacked by malware?
- Make regular backups, particularly of important or sensitive files
- Prevent malware from spreading to devices
- Prevent malware from running
- Prepare for an attack with training and cybersecurity measures
If your data is not being protected properly, it could also be hacked. A cybercriminal could illegitimately and purposefully access your personal data without authorisation. These attacks are an offence, and any perpetrators could be prosecuted.
Now we’ve illustrated the common causes of breaches of data protection, this section will confirm the different types of damages you could receive from a successful claim.
Your data breach compensation can consist of two different types of damages. Non-material damages can compensate you for the psychological injuries caused by the data breach. This can include depression, anxiety or PTSD.
Legal professionals use the Judicial College Guidelines (JCG) to provide clients with a better idea of their potential compensation amount. The figures below are taken from the most up-to-date guidelines, published in April 2022. Please remember that these figures are not guarantees, as every claim is unique.
If you’re claiming for non-material damages, as part of the claims process, you may need to attend an independent medical assessment. A medical professional will evaluate how the data breach has affected you psychologically. A solicitor from our panel can arrange for this assessment to be performed as locally to you as possible.
Injury Severity Amount Notes
Psychiatric Severe £54,830 to £115,730 All aspects of life will be severely affected, including work, relationships, education and life in general. There may be little chance to ever fully recover to a pre-trauma level.
Psychiatric Moderately Severe £19,070 to £54,830 There may be a positive prognosis, but the claimant will suffer difficulties with general life, daily activities and relationships.
Psychiatric Moderate £5,860 to £19,070 Any related issues will have seen a marked improvement by trial date. There will be a good prognosis of a recovery.
Psychiatric Less Severe £1,540 to £5,860 Compensation will depend on how long the claimant was affected for, and how much the related issues impacted sleep and daily activities.
PTSD Severe £59,860 to £100,670 All aspects of life will be permenantly and negatively affected.
PTSD Moderately Severe £23,150 to £59,860 Some serious issues may persist but there will be a more optimistic prognosis for recovery.
PTSD Moderate £8,180 to £23,150 There will have been a good amount of recovery and any lasting effects will not be disabling.
PTSD Less Severe £3,950 to £8,180 Within 1-2 years, an almost full recovery will have been made. Only minor symptoms will be remain after this point.
The second head of claim is material damages. This can compensate you for the financial losses caused by the data breach. For example, your bank details could be stolen due to your solicitor being the victim of a malware attack. This could lead to funds being stolen. If this happened because your solicitor didn’t sufficiently protect your personal data from this kind of threat, you could potentially claim.
Due to the Vidal-Hall & Others v Google Inc , you can now claim for psychological injuries without needing to experience financial losses from the data breach. You can claim for one or both as part of the same data breach compensation claim.
Some data breach solicitors will offer No Win No Fee agreements, and they could be financially beneficial to the claimant. That’s because the claimant doesn’t pay any solicitor fees in the event that the claim is unsuccessful.
If you do receive compensation, there is a success fee to pay your personal injury lawyer. The figure that makes up this success fee is dependent on how much you receive in compensation. However, the success fee has a legal percentage cap, so you won’t lose too much of your settlement.
There are other benefits to using No Win No Fee data breach solicitors. These include the lack of any other hidden or surprise charges as part of a No Win No Fee agreement. In addition, you don’t have to pay solicitor fees prior to or during the claims process.
These are just some of the reasons for working with data protection breach solicitors that offer No Win No Fee. Our panel of personal injury solicitors can provide a No Win No Fee agreement for claimants. To ask any questions about No Win No Fee, you can:
Thank you for reading our guide about the common causes of data breaches. We hope you found it useful. For further related resources, please see below.
Claim for a Data Breach by a Pharmacy – If you’ve suffered due to a data breach by a pharmacy, you could be eligible to claim compensation. Find out how in our article.
Housing Association Data Breach – If your data was breached at a housing association, use our guide to learn how to claim compensation.
Misdirected Fax Data Breach – Learn more about this type of data breach and how you could claim.
Data Security Incident Trends – Find here the ICO’s latest statistics about data breach incidents.
Help and Support After a Traumatic Event – This NHS page looks at the support you could receive after a traumatic event.
Mind – This UK mental health charity aims to support all those struggling with psychological issues.
If you have any more questions about common causes of data breaches, reach out to our advisors. They’re available 24/7 and give free legal advice.
Article by AO