TalkTalk hack: What to do if your data is leaked

Under the data protection act (DPA), consumers have the right to demand to know what information organisations hold relating to them in the form of a subject access request.

The TalkTalk cyber-attack has put protecting consumers’ data right back at the top of the agenda for many people.

Last week’s leak was closely followed by Tuesday’s news that Marks and Spencer had suspended its site after a fault allowed customers to see each other’s details when they logged into their own accounts.
Rewind about two months and it was the infidelity dating website Ashley Madison in the spotlight when its customers’ details were stolen and leaked online.
So, what rights do victims have and what obligations are companies under?

What can consumers do?

The primary option for most people in the UK is to approach the Information Commissioner’s Office (ICO), which has a statutory obligation to investigate and can penalise organisations found to have misused people’s data. It has the power to fine bodies up to £500,000. But it cannot award compensation to consumers. For that, a person would have to go to court.
“Unfortunately, there have been very few cases of an individual’s right to claim compensation as a result of breach of data protection laws and many of the cases are fairly old,” Mahisha Rupan, a specialist data protection lawyer at the law firm Kemp Little, told the BBC.
She added: “The compensation in these cases has been fairly modest but we did have a landmark judgment from the Court of Appeal earlier this year.”
Ms Rupan said people had previously to show evidence of financial loss as a result of breach of data protection laws to have a chance of getting compensation. But, after the Court of Appeal’s ruling, an inability to do so was no longer seen as barrier to asserting the rights afforded by data protection legislation.
“We could potentially see a change in the way data protection compensation claims are handled by the court,” she added
Individuals affected by a data breach also have the option of trying to bring a firm involved to a voluntary agreement. However, consumer groups have not always been impressed by the offerings. In the wake of the TalkTalk breach, the consumer group Which? said that the firm’s offer to release people who could show financial loss as a direct result of the breach from their contracts for free was the “bare minimum”.
It said: “TalkTalk must treat their customers fairly by letting those affected leave their contracts without penalty and consider offering appropriate compensation.”
With any leak of personal data, there would be a risk of falling victim to identity theft and to phishing scams, in which fraudsters attempt to extract information from their victim, often posing as a trustworthy figure and using information they have already obtained.
“Phishing is a very serious risk and individuals should be wary. They could give away more information, which could lead to greater loss,” Ms Rupan said. “Just because financial information itself is not available to the hackers, does not mean all of the risks are mitigated.”
Under the data protection act (DPA), consumers have the right to demand to know what information organisations hold relating to them in the form of a subject access request.

What responsibilities to organisations have?

The same UK law that protects consumers, also requires organisations that handle their data to put in place appropriate security measures.
But the requirement is not prescriptive. “It is a broad-based principle that requires companies to self-assess what risks the data may be exposed to and then apply the technical and organisation measures they consider will be appropriate to protect against such risks,” Vinod Bange, the head of UK data protection at the law firm Taylor Wessing, told the BBC.
According to Ms Rupan, that means the security obligations on firms are more closely related to the value placed in the data they hold than to the expected sophistication of any attack.
In short, if the data are not very sensitive, a lower level of security will suffice, regardless of whether that renders the firm more vulnerable to attack. But the most sensitive types of data, such as medical records, would require a higher standard.
Companies should be carrying out regular assessments of intrusions in order to be able to step up their security measures accordingly, Mr Bange said.
While companies could be ordered to pay compensation, the fines handed out by the ICO are typically much greater and “probably the biggest risk to the business is going to be loss of trust”, added Ms Rupan.
What about the future?
The US and the EU are negotiating a deal that will allow European citizens to sue US firms over data breaches. But it has not been signed.
There are also efforts in Europe to introduce a new law that would give them the right to be forgotten by those organisations – and to have their data in an easily transferrable format, so that they can move it to rival organisations.
However, that is unlikely to be enforceable before early 2018, Ms Rupan said.