According to The SMS Works, the Information Commissioner’s Office (ICO) was still to receive 42% of the total amount of fines it had handed out for data breaches, spam, and nuisance calling since 2015. This demonstrates the difficulty the ICO has when it comes to enforcing the punishments it hands out to companies who breach data protection regulation.
Data obtained* via a freedom of information request found that:
- 152 fines have been issued since 2015
- 30% of these remain unpaid.
Companies are demonstrating a history of data protection failures
At the same time, the news is routinely reporting about how big organisations are failing their customers when it comes to looking after their data.
For example, in April 2020, the news broke that Marriott had suffered yet another data breach. On this occasion, rather than customers, it was Marriott’s own employees who had their privacy violated due to a third-party hack. It seems that, even in the face of a huge fine from the ICO, Marriot still had issues with respect to its data protection responsibilities. But Marriott is not alone in repeated failures.
Despite two British Airways data breaches in 2018 – and a subsequent fine of £20 million – in 2019 a vulnerability with the airline’s check-in procedures, once again, exposed passenger information.
Also, in 2019, T-Mobile suffered a severe data breach with over a million pre-paid customers believed to be affected. Again, this was not the first time T-Mobile had suffered a data security failure. In 2018, the company experienced a data breach which affected around two million customers.
And the list goes on.
In 2017, a Dixons (Carphone Warehouse) data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. However, that breach was also not the first time that the company had failed to protect its customers’ data. Carphone Warehouse, which merged with Dixons, was previously fined £400,000 following another cyber-attack. At that time, the huge fine was one of the biggest ever handed out by the ICO (under new data protection regulations the ICO now has the power to issue much higher penalties).
So, at best, we could argue that big companies are not learning effectively from their security mistakes. Others might say they just do not care.
Is there any point making a complaint?
At Keller Postman UK, our expert data breach lawyers help people to claim compensation for data privacy violations. It is a job we take very seriously. Not least because we understand the huge impact (which can often be traumatic) a data breach can have on an individual. However, with breaches happening on an almost daily basis – is there any point even trying to stand up for your data privacy rights?
Certainly, where there is a pattern of breaches, there are likely to be significant data security issues at play. In fact, in many cases, these organisations are lucky that they have not suffered more data attacks as when you adopt a reactive “break-fix” approach rather than a proactive security-first approach, it’s only a matter of time before something else goes wrong.
Just because some organisations are not prioritising data security does not mean you should not.
Cybercrime can result in financial and/or identity theft. And even if you do not lose out financially after a data breach, this does not mean that you will escape unscathed. Many people go on to suffer psychologically after a privacy violation, with new symptoms developing and existing ones being made worse.
Your data has value and organisations are legally obliged to look after it. Something must be done to make companies accountable for their data protection failures. And, in many cases, taking action against these organisations is the only way to make them improve their security processes.
Who is to blame for data breaches?
Cybercriminals are becoming more and more sophisticated. But even where a company has come under attack, this does not let them off the hook. If the organisation can show that it has done everything in its power to protect your data and to have robust security processes and procedures in place, it is unlikely that they would be found guilty by the ICO.
Also, where a third-party has been involved in a breach, this does not mean the company that collected your data is not to blame. It is their responsibility to put adequate checks and processes in place to secure third-party access. So, implicating the third party as the bad actor is legally neither here nor there.
The reality is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes – and these organisations must be made to get their houses in order. But it is essential to get specialist legal help to tackle these offenders head-on.
If the ICO can’t do anything, what can you do?
Our data breach team helps our clients to claim data breach compensation following data protection violations, GDPR breaches and other cyber offences.
We have specialist data breach lawyers, and we understand what it takes to make a successful data breach claim, regardless of the type of organisation involved.
With all the experience and expertise needed to win against even the biggest organisations, we will work with you to protect your rights and hold organisations to account for their failures. So if you want the best to fight your corner, you want Keller Postman UK.