Who is accountable for a data breach?
Data breaches are an unfortunately common occurrence, but knowing who should be held accountable isn’t always straightforward. Associate Mo Hussain clarifies who might be accountable for a data breach and the actions that you should take in such situations.
If your data has been leaked, you are likely to be feeling stressed, and wondering what steps to take next. If you’re in this predicament, you may be keen to find out who should be held accountable for the data breach, and whether or not you are eligible for compensation.
In this article we will explore:
- What counts as a data breach?
- What are the common causes of a data breach?
- When data is breached, who should be held accountable?
- What are the GDPR requirements concerning data security?
- Under GDPR, can an individual be responsible for a data breach?
- Does a company need to tell you if your data has been breached?
- What should you do if your data has been breached?
- How can Hayes Connor help following a data breach?
If you would like immediate advice from our team, you can call 0330 041 5135 or fill out our online claim form and we will respond promptly.
What counts as a data breach?
Before we explore the idea of data breach accountability and responsibility, it’s important to establish what constitutes a data breach, and what does not.
A data breach means an incident where personal data is viewed, retrieved or shared by those who do not have the permission or authority to do so. It may occur due to human error, for instance mistakes made by employees or data professionals, or due to a targeted attack by cyber criminals.
A data breach may be experienced by individuals or companies. If a data breach occurs because a company or solo entrepreneur did not have adequate data protection, that business is viewed as having violated GDPR laws surrounding data protection, and is therefore likely to incur a fine or another penalty.
What are the common causes of a data breach?
There are many common causes of a data breach including unencrypted data, a leak due to a malicious link, or even emailing the wrong person.
In other cases, a data breach might be caused by malware, ransomware, or insufficient security controls. Targeted DDoS attacks and phishing are also frequent causes of data breaches.
When data is breached, who should be held accountable?
When a data breach occurs, it can be difficult to determine which people are accountable, this tends to depend on the situation. A data breach might happen if CEOs and/or business managers fail to allocate a suitable budget for web security, for example, not investing in robust data encryption measures.
If so, the data breach responsibility may lie with the CEOs and company managers, and so these parties will be held accountable for their security failings.
In a different set of circumstances, it could be that the chief information security officers are accountable for the incident. If a company has adequate cyber security tools in place, and a breach occurs regardless, the incident may well be due to mistakes made by CISOs.
A chief information security officer is likely to be held responsible if a security team doesn’t detect, or offer a robust response when a data breach takes place. They may also be held accountable if cyber security technology isn’t up to date, or if data breaches are caused by substandard monitoring and or systems maintenance.
There are also many instances where those who manage IT security tasks are responsible for data breaches, for example, if a breach was caused by human error. It is advisable that companies work with expert data security operators to reduce the occurrence of such instances.
What are the GDPR requirements concerning data security?
According to the UK GDPR, businesses and sole traders are obligated to securely process any personal data that they handle. To do this, they must conduct risks analysis, as well as implementing suitable policies and technical measures. Both data handlers and businesses are responsible for using methods that ensure the confidentiality, integrity, and availability of the systems they use, and the data they process.
In addition, companies must test their security systems for effectiveness and make improvements where required.
Those handling and processing data are expected to:
- Implement encryption technology
- Make certain that where incidents occur, there is a suitable back up process to restore personal data access
- Ensure that where data processors are used, high standards are maintained regarding technical measures
Individuals and businesses handling and processing personal data are well advised to learn about responsibility after a data breach.
Under GDPR, can an individual be responsible for a data breach?
GDPR refers to a rigid rule set which needs to be followed when processing and handling data belonging to EU citizens. As a former member of the EU, GDPR was implemented in the UK by the Data Protection Act 2018.
Failing to comply with GDPR can mean incurring huge fines, and other penalties depending on the circumstances and seriousness of the case. GDPR was created primarily for organisations, however, data breach accountability is down to individuals in certain situations.
For instance, where an entrepreneur runs a business, and they are the only person in that company. If that solo entrepreneur breaches GDPR data regulations, they will incur a fine as an individual.
An individual who works for an organisation may be targeted with a fine in some situations. For instance, if the organisation they work for is being investigated for GDPR non-compliance and they attempt to hinder that investigation, or deliberately provide false information. An individual may also be fined if they destroy evidence of the breach, or seek to access data without having the relevant permission to do so.
Regardless, it is not commonplace for individuals within a company to face data breach responsibility or a fine, usually this would only be the case if that person was operating as a sole trader.
Does a company need to tell you if your data has been breached?
Where a company stores your data, and your data has been compromised, GDPR asserts that they must inform you in certain circumstances. For instance, if the breach will likely negatively affect a person’s freedoms or rights, they must be informed immediately.
If the data that has been compromised includes bank account information and a person’s date of birth and address, they are then vulnerable to identity theft. In this situation the individual should therefore be made aware of the breach at once.
In cases like this it is also the responsibility of the company to provide the individual with information about anything that they can do to protect themselves, for instance, safeguarding from identity theft.
However, where the personal data breach is considered to be of low risk to the individual, the company may not inform the person that it has taken place.
What should you do if your data has been breached?
If you are aware that your data has been breached, it is recommended that you get advice from a specialist data breach solicitor. You may be able to claim compensation, which can help you to access the support that you need, financial or otherwise, to remedy the harm you’ve experienced.
A specialist will be able to review what’s happened, investigate who is accountable for the breach, and support you through the claims process as smoothly as possible.
Experiencing a data breach is incredibly troubling, putting you at risk of financial consequences and identity theft, not to mention the anxiety that these experiences can bring up. In the aftermath of an incident, our solicitors can help you to keep things on track.
How can Hayes Connor help following a data breach?
At Hayes Connor, we have extensive experience in supporting victims of data breaches and GDPR breaches. With our wealth of knowledge on data breach accountability and responsibility, we can guide you through the data breach claims process, matching our support to your needs.
As one of the largest teams of data breach lawyers in the UK, we are in a great position to help you make a claim, holding those responsible for the data breach accountable.
At Hayes Connor, we will ensure that the process of making a data breach compensation claim is as straightforward as possible, helping you to access the maximum compensation that you deserve. Our lawyers have an excellent track record of helping clients to achieve compensation, without needing to attend Court.
To learn more about data breach accountability and data breach responsibility, please contact our data breach claims experts at Hayes Connor today.
You can find out more about our expertise and how we handle data breach claims here.
To start a claim, you can use our online claim form and we will get back to you shortly to let you know if we believe you have grounds for compensation.
If you would like to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5135.