If personal data is comprised in a data breach, can you file a lawsuit?

A data breach describes where information is accessed, stolen, and used by cyber thieves without authorization. Incidents of this kind are more common than we think. Last year alone, 155.8 million individuals were affected by data exposures, sensitive information being disclosed due to less-than-adequate information security.

Estimated reading time: 5 minutes

The most commonly used cyber-attacks in data breaches are ransomware, malware, phishing, and Denial of Service (DoS). These days, data breaches are regular occurrences, and they leave unsuspecting victims vulnerable to identity theft. The question now is: What are the legal options? In Europe, you can claim compensation if a company hasn’t respected the law and you’ve suffered material damages (ex. financial loss) and non-material damages (ex. distress).  

For the time being, we don’t have an American version of the GDPR. Why does this even matter? Well, the vast majority of technology companies are American. In practice, it’s paramount to pay close attention to how customer data is handled and protected. There is a good reason for urgency about setting similar laws. Many organizations use data as their primary source of details, and cyber incidents can occur at any time.

To be more exact, someone could break into the database or system and cause chaos. A data breach hurts both the individual and the company by compromising sensitive information. Indeed, litigation should be the last resort, but it’s the only way to make sense of the situation. 

The GDPR imposes a duty on all organizations to report personal data breaches

The General Data Protection Regulation is a legal framework that requires organizations, whether big or small, to protect European citizens’ personal data and privacy. It has been around for a couple of years now.

Given that people live data-heavy lifestyles and don’t hesitate to share their information online, it would have been better if the data privacy law would have been introduced earlier. The security landscape continues to evolve, and, as highlighted before, attacks take place more frequently. To reach their goals, malicious actors stop at nothing to steal data. 

Certain personal data breaches must be reported to the relevant supervisory authority. If the incident severely affects individuals’ rights and freedoms, they must be informed without delay. Attention needs to be paid because any violation in the obligations results in an administrative fine of 20 million EUR. Therefore, it’s necessary to implement measures to ensure a high degree of data security.

Besides encryption, mention can be made of regular testing and evaluating. It might be necessary to designate a data protection officer to ensure compliance with applicable rules in certain cases. Each individual has to take responsibility for their own actions and those of fellow team members. It’s necessary to develop a security culture. 

What would the stolen data be used for? 

Have you ever stopped to think about what hackers want to do with your data? Let’s take a close look into this matter. First and foremost, malicious actors want to get their hands on a copy of the company’s customer database and spam them.

The more they can find out about the business and its customers, the more damage they can do. Secondly, hackers seek to steal personal information and use it for financial gains. They can get refunds diverted to the wrong account or commit credit card fraud.

Your creditworthiness and reputation with future lenders and employers are affected. Last but certainly not least, cyber thieves attempt to steal personal information so that they can blackmail you into giving them your money. For instance, hackers could steal precious medical information. The consequence is that you can’t get much-needed treatment. 

Data breach liability and the right to compensation 

All organizations are required to notify customers if a data breach occurs. Even if the security failures are the fault of the data owner (ex. the cloud provider), the data owner faces liability from the resulting cyber-attack. Let’s take an example. Facebook is sued in a class-action lawsuit in Europe over the 2019 data breach.

People are seeking monetary compensation for breaches of personal data that are set out in the GDPR. Anyone who has suffered damage due to an infringement of the regulation is entitled to seek compensation.

A claim can be made to the company concerned or brought before the courts of the European Union. So, if you’ve placed an order on an online platform and the site suffers a cyber-attack, you can demand compensation for the financial damage resulting from your credit card details being stolen. 

According to the experts at How to Sue, not too much attention is given to the psychological effects of a data breach. Besides feeling victimized, the person becomes upset, struggles with depression has trouble sleeping, and so on.

The victim can also experience social anxiety, which includes difficulty in dealing with friends and neighbors. If you’ve suffered financial loss or distress because of a data breach, you can go to the small claims court if you can’t solve the problem amicably.

Good evidence is necessary, needless to say. In this respect, it’s recommended to forward a complaint to the Information Commissioner’s Office (ICO). Of course, it can’t offer advice on the level of compensation you can claim, but what the independent official has to say can positively influence your claim. 

As mentioned earlier, you can take your case to the small claims court. It’s an inexpensive way to pursue a claim without the need of employing a lawyer. It’s necessary to fill out a claim form, give details with regards to your claim, and specify the amount you’re seeking, and offer any relevant details that might be required.

If the defendant contests the claim, the Registrar will try to negotiate a solution between you and the other party. Nonetheless, if this attempt fails, the claim will be referred to the District Court for judgment. Again, you can talk to a lawyer experienced in intellectual property and online data breaches and ask for advice.

What do you think? Please share your thoughts on any of the social media pages listed below. You can also comment on our MeWe page by joining the MeWe social network.

***This is a guest post. The thoughts and ideas expressed are those of the authors and do not reflect on Techaeris or its staff. Always consult a legal expert in these matters. This article does not constitute legal advice and should not be taken as such. The reader is responsible for their own actions.