There is no doubt that the last few years have been transformative for data protection. Today, more of our data is being used and shared than ever before; especially as we all exploit technology in our business and personal lives. But this increased reliance on technology does not come without risk, and, as yet, too many organisations are still failing to take data protection seriously.
In 2020, as the world struggled to overcome the challenges brought about by the coronavirus pandemic, data protection issues were thrust into the spotlight as the challenges of an at-home workforce and the need for remote technology and health-focused apps became apparent.
Nevertheless, despite the pandemic, the legal world continued to operate, with record data protection fines being issued by the Information Commissioner’s Office (ICO).
In our 2020 year in review report, our expert data protection lawyers take a look at some of the key cases and developments that occurred in the world of data breach law over the last 12 months.
Head of Data Breach
In January 2020, the ICO fined Dixons Carphone £500,000 after a massive data breach at the company in 2017. According to the ICO:
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
The details stolen in this breach included names, home addresses, phone numbers, dates of birth and email addresses. The hackers also got access to the records of 5.9 million payments cards.
We have launched a group action against Dixons Carphone. Group actions can be a powerful tool and can have a bigger impact than a single claim.
In a month that changed everything, on 11 March 2020, the coronavirus outbreak was labelled a pandemic by the World Health Organisation.
Quick to see the impact this might have on data protection, Kinglsey Hayes (who later joined our firm as Head of Data Breach), raised concerns in the media about how the coronavirus pandemic might lead to an increase in data breaches.
In particular, he discussed:
On 14 March 2020, the Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR) – a company which performs early clinical trials of drugs and vaccines.
HMR did not pay the ransom. Malcolm Boyce, managing and clinical director at HMR said: “We have no intention of paying. I would rather go out of business than pay a ransom to these people”.
In response to this refusal, the cyber gangsters published the personal and medical details of more than 2,300 former volunteer patients online. The information has since been taken down.
The extremely sensitive and confidential information exposed in this hack includes:
The data exposed went back years.
In 2018, a huge data breach put 339 million Marriott International customers at risk. But, in March 2020 it seemed that the hotel giant still was not taking its data protection responsibilities seriously as it suffered a further breach – this time involving the personal information of 5.2 million guests.
The Supreme Court decided that supermarket chain Morrisons was not liable for a deliberate data breach caused by a disgruntled employee. However, this decision does not mean that businesses can be complacent. In most cases, data breaches are not caused by people seeking to cause damage to a brand. Instead, they are the result of genuine human error made possible due to poor security processes and a lack of training. And, for that, an employer can still be held liable.
The Babylon Health GP video appointment app gave some users access to videos of other patient consultations. The app had become especially popular during the COVID-19 pandemic, as it provided an alternative to visiting the doctor in person.
Commenting on the breach, Kingsley Hayes said:
“Healthcare is rapidly going digital. But, amidst this online information revolution, there must be robust protections in place. This is essential to secure confidential and sensitive medical data. Especially because, should such information become public, this could cause considerable distress and embarrassment to those involved. And, it might even be exploited by criminals.
“By allowing GP sessions to become public, Babylon has breached the Data Protection Act, and doctor-patient confidentiality. The healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be taken care of. Babylon failed to do this.”
In July 2020, it was revealed that over 100 educational and third-sector organisations were at risk following a breach of the Blackbaud cloud platform. Blackbaud – a firm that provides administration, fundraising, and financial management software – was targeted by cybercriminals in a devastating cyber-attack. The hackers demanded a ransom in exchange for deleting the data, which Blackbaud paid.
The US-based software provider took weeks to warn people that their data had been stolen. Furthermore, despite initially claiming that financial data had not been stolen, Blackbaud has since admitted that bank account information and users’ passwords were among details feared accessed by hackers. Although not everyone will have had their financial details compromised.
According to media reports, the affected institutions included:
In July 2020, hackers targeted the British Dental Association’s (BDA) systems. Cybercriminals accessed personal and financial data including:
As the BDA confirmed that its servers were illegally hacked, it also warned dentists to be extra vigilant. In particular, the BDA has suggested that members take the following steps as a precaution:
On 14 September 2020, Public Health Wales (PHW) admitted that a mistake had led to a data breach violation involving the data of Welsh residents who had tested positive for COVID-19 between 27 February and 30 August.
The breach exposed the following information:
Shopify admitted that it caught two rogue employees stealing transaction data from its online stores. The theft impacted around 200 merchants and their customers. The businesses put at risk in the Shopify data breach included Kylie Jenner’s make-up company, which has already informed customers about the privacy violation. The incident occurred between 15 August and 15 September 2020.
The ICO fined Marriott International Inc £18.4 million after a data breach put the personal data of some 339 million customers at risk. Seven million guest records related to people in the UK.
The ICO investigated on behalf of all EU authorities as lead supervisory authority under the General Data Protection Regulation (GDPR). The penalty and action have been approved by the other EU Data Protection Authorities.
Whilst the Marriott data breach was discovered in 2018, it could affect customers who made a booking at one of the affected hotels and timeshare properties as far back as 2014. However, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.
The ICO fined British Airways £20 million for a serious data breach which took place in 2018. The breach – which happened due to a cyberattack – compromised the personal and financial details of more than 400,000 British Airways customers and staff.
The hack went undetected for more than two months and was eventually discovered by a third party. According to the ICO: “It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant”.
British Airways was initially facing a £183 million fine for the data breach. However, this amount was reduced to £20 million after appeal.
In October 2020, we issued legal proceedings against the Royal Mail. The action related to the release of employee information collected by Royal Mail as part of an internal investigation following allegations of harassment and bullying made against another Royal Mail employee.
The claimants in this case had a reasonable expectation of privacy given the circumstances. Despite this, during the investigation, personal information was sent to a third party. The personal data included addresses, mobile telephone numbers, and in one case the name of an individual who had asked to remain anonymous. Although Royal Mail had informed the claimants that interview notes would be shared with the third party, those involved were reassured that their personal details would be removed before doing so.
We believe that Royal Mail is vicariously liable for the actions of its employees in sending the documents to the third party, as the employees were acting within their field of activities and furthering their employer’s purposes.
In October 2020, the ICO fined Ticketmaster £1.25 million for a shocking data privacy failure which took place in 2018. In this case, cybercriminals hacked Ticketmaster’s website resulting in a significant data breach. The Ticketmaster data breach exposed customer names, addresses, email addresses, phone numbers, financial/payment details and Ticketmaster login details. In total, 40,000 people in the UK had their payment details swiped.
Although the breach began in February 2018, the penalty only related to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.
In the first major tech post-GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This was the first time a multinational tech firm had been held to account by the Irish regulator since GDPR was introduced. The penalty was issued as Twitter failed to promptly declare and properly document a data breach.
The Irish DPC is the lead EU privacy supervisor for several tech giants.
This case could be significant as there is a backlog of investigations against the likes of Facebook, WhatsApp, Google, Apple and LinkedIn (amongst others). Facebook has said that it has put aside €302 million for potential regulatory fines.
Kingsley Hayes, Head of Data Breach, discussed these findings in Legal Futures.
NHS Highland patients were involved in a serious medical data breach. The health board admitted that the details of 284 patients were sent to 31 people. The data breached included patient contact details, dates of birth and name of their clinics.
In December 2020, it came to light that HMRC had reported a series of ‘serious’ personal data incidents last year. For example:
Other data breaches at HMRC occurred due to cyber-attacks and a catalogue of human errors.
When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.
Our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.
London-based PBB University has been hit by cybercriminals. Our data protection experts are investigating this incident. We may be able to claim compensation for any distress or financial losses experienced because of this breach and we urge anyone affected to register with us.
In August 2019, over 750 annual benefit statements were sent to the wrong postal addresses. These statements were for police officers of Sussex Police.
Equiniti, a company that provides support, communications and technology platforms to help manage company pensions, was responsible for distributing these statements.