Key takeaways
Small claims track for minor data breaches
County court is now the default route for low-value claims.
Legal costs must reflect claim value
£50k costs to recover £3k deemed disproportionate by court.
Simplify overlapping legal claims
Avoid unnecessary complexity in straightforward data breach cases.
The retail sector is still reeling from cyber-attacks. It has been confirmed that customer data has been stolen, which could include telephone numbers, home addresses and dates of birth. We look ahead to how the UK’s data regulator – the Information Commissioner’s Office (ICO) - could respond.
Under the UK’s data protection rules, retailers have a duty to take “appropriate technical and organisational measures” to protect customer data. Technical measures include things like encryption, firewalls and penetration testing. Organisational measures include staff training on how to spot an attempted cyber-attack. Retailers must report more significant data security breaches to the ICO promptly and, where possible, within 72 hours. If a breach is likely to result in “high risk” to individuals, for example because of the risk of identity theft, retailers normally must inform affected customers without “undue delay”.
The ICO will be looking into compliance with these issues as part of its investigations of the affected retailers.
The ICO can take strong action against retailers breaking the rules. At the top end of the spectrum, the ICO can impose a fine of up to £17.5 million or 4% of the total annual worldwide turnover. The highest fine to date is £20 million imposed on British Airways in 2020 (please see below for further details).
The ICO can also issue enforcement notices. These are notices that require an organisation to take particular steps to prevent future breaches.
We have set out below some examples of how the ICO has dealt with other cases involving cyber-attacks or stolen data. Similar EU duties and sanctions apply to retailers with an EU presence. This means there is the potential for fines from both UK and EU data regulators.
British Airways: In 2018, approximately 429,612 customers and staff were affected by a data breach, in which personal identity information and bank card details were accessed. The ICO found that British Airways failed to implement multi-factor authentication, did not rigorously test their IT systems, and they did not limit access to data to only what was required for staff to fulfil their roles. The failures breached data protection law and remained undetected for over two months. Although the fine imposed was £20 million, the initial fine was £183 million. The cut was due to various mitigating factors and the ICO’s policy of reducing fines during the COVID-19 pandemic.
Marriott International: Between 2014 and 2018, over 339 million guest records were affected on a global scale. This data included guest names, email addresses, phone numbers and passport numbers. The fine was initially £99 million but was reduced to £18.4 million, due to the mitigating measures Marriott put in place following the cyber-attack and the ICO’s policy of reducing fines for organisations significantly impacted by the COVID-19 pandemic.