This year has been a big year for data protection. In July, the Data Protection and Digital Information Bill 2022-23 was introduced in the House of Commons. The Bill aims to “update and simplify the UK’s data protection framework to reduce burdens on organisations while maintaining high data protection standards”.
However, there are genuine concerns that by removing the current obligations on businesses – including ending the need for mandatory data protection impact assessments (DPIAs) – individuals could find themselves worse off. Nevertheless, there are positive proposals in the Bill, such as strengthening the Information Commissioner’s Office (ICO) and empowering the data protection regulator to take a more proactive approach to help organisations comply with the UK’s data protection laws. The Bill was due to have its second reading in September, but this has been pushed back and no new date has yet been set for this to take place.
As the pace of technological advancement continues, our data is used and shared with ever more organisations. As such, the risk of data breaches increases, especially as too many organisations are failing to take data protection seriously. Holding those who fail to meet their regulatory requirements to account, we are pursuing several group actions. And, in 2022, we were delighted to settle our Ticketmaster group action claim and make significant progress in other cases, including in our action against the Police Federation of England and Wales.
In our 2022 year in review report, our expert data protection lawyers take a look at some of the key cases and developments that occurred in the world of data breach law over the last 12 months.
Kingsley Hayes
HEAD OF DATA BREACH
We were extremely pleased to announce that our firm was shortlisted for Law Firm of the Year at the 2022 LexisNexis Legal Awards. The Awards recognise and celebrate excellence and innovation across the legal sector.
Vision Direct customers were informed that their financial information might have been compromised in a data security incident. The breach occurred after hackers accessed the Vision Direct website. Anyone who made a purchase online during the breach period could be at risk. Our Data Breach team launched an action to help those involved in the Vision Direct data security failure.
In 2020, dating website and app Zoosk was the subject of a cyber-attack resulting in the exfiltration of 30 million user records. This data was then posted for sale on the dark web. In January 2022, we launched a group action claim to help users in England & Wales claim compensation.
We were delighted to announce that claimants represented by our firm had settled their High Court action against Ticketmaster.
The claims for compensation were brought by in excess of 1,000 customers who claimed their data was compromised as a result of a cyberattack perpetrated on software supplied to Ticketmaster by a third party and operated on that third party’s systems and servers. Ticketmaster denied liability for the claims and the settlement was made on a no admission basis.
The terms of the settlement are otherwise confidential.
In January 2022, Parasol Group shut down some of its systems after it discovered “malicious activity” on its network. Parasol later admitted that personal data was accessed by cybercriminals. Some of this data has been shared online. In February 2022, we launched a group action claim to help users in England & Wales claim compensation.
Speaking about the Parasol data breach in which cybercriminals accessed the personal information of contractors and employees. Kingsley Hayes, Head of Data Breach, said:
“Going on what we’ve seen, there is data there that goes back as far as 2011 and 2009, so anyone who has used Parasol in the last 10 years – at least – could have some data on that [leaked] database.”
Kingsley’s comments were published in Computer Weekly, 15 February 2022, and can be found here. This article was also republished in Techonnews and Knowledia, 16 February 2022.
In May 2021, Ardagh experienced a cyberattack. In October 2021, the company became aware that stolen data taken from its systems had been placed on the dark web. And, in February 2022, nine months after the security breach, Ardagh wrote to employees to warn them that their personal information might have been exposed in the attack. We launched an action to help those involved in the Ardagh data security failure claim compensation for any distress or financial losses experienced because of this breach.
We participated in the virtual Modern Law roundtable on the Role of Technology alongside senior representatives from Cripps Pemberton Greenish, Nexa Law, Spencer West, Ring Rose Law, Loch Associates and Millar & Bryce.
Committed to fostering a culture of equality and diversity, we are passionate about supporting women in the workplace. Some of the ways we do this are through career progression, representation, and by celebrating the achievements of the outstanding women in our firm.
To mark International Women’s Day (IWD) 2022, we shone a spotlight on some of the women who make our firm what it is. We were also proud to take part in an International Women’s Day Panel Event.
We were extremely pleased to announce that our firm was shortlisted in three categories at the Modern Law Awards.
The categories were Business Growth Award, Innovation of the Year, and Boutique Law Firm of the Year.
In December 2021, Greencore began to experience some IT disruption. Following the security failure, Greencore investigated the incident and uncovered that some HR data had been accessed. In February 2022, Greencore warned employees that their personal information might have been exposed. In March 2022, we launched an action to help those involved in the Greencore data security failure claim compensation for any distress or financial losses experienced because of the breach.
As a result of a huge cyberattack, thousands of people had their confidential medical data breached and posted online. In total, 13 organisations were affected, six of which are healthcare related. Following the breach, in March 2022, we launched an action against The Lister Fertility Clinic.
In March 2022, we were delighted to be one of the Collective Redress Lawyers Association (CORLA) founding members, alongside UK group litigation firms Edwin Coe, Hausfeld & Co, Leigh Day, Milberg London, and PGMBM.
CORLA was established to promote and facilitate reforms and practice that provide effective and ever improving access to justice for claimants by way of collective redress.
We launched an action to help those involved in the Parasol data security failure to claim compensation. And taking our case to the Courts, in March we issued a notice of potential claim against Optionis Group Limited.
In May, news of our Parasol data breach claim published in Computer Weekly. You can read what we had to say about the Parasol data breach here.
In May 2022, Partner and Head of Data Breach, Kingsley Hayes, highlighted the pitfalls of automated decision making and explained the importance of GDPR compliance when relying on algorithms to make decisions. Kingsley’s article was published in ITNow and can be found here.
As we entered the summer months, our team continued to pursue several large group actions on behalf of our clients.
When it comes to winning cases against big players, understanding the law is only half the battle. You also need experience. Our expert data protection lawyers have the legal expertise necessary to take on corporate giants and large organisations. And, in addition to our own legal know-how, where required, we also work with expert barristers to help us win our group action cases. So, we are confident that our team will get the results you deserve.
On 4 July 2022, Keller Lenkner UK changed its name to Keller Postman UK.
This change came as Warren Postman – one of Lawdragon’s 500 Leading Lawyers in America – stepped into a new role as Managing Partner in our US office.
Keller Lenkner UK built an enviable reputation for taking on corporate giants. As Keller Postman UK, our work in group actions and mass litigation continues. We will also carry on representing individual clients seeking redress for violations of their legal rights.
In July 2022, we warned people about a data breach at Airedale NHS Foundation Trust. The breach involves ‘special category data’. Special category data is personal data that needs more protection because it is sensitive. As such, victims of this breach are likely to be extremely worried about this data security failure.
In July 2022, Mainspring wrote to clients to alert them to a data breach. The security failure happened when hackers gained access to Mainstream’s systems and data and carried out a ransomware attack. In August, we launched a group action to help those involved in the Mainspring data security failure claim compensation for any distress or financial losses experienced because of this breach. Mainspring has contacted those affected, and we strongly urge anyone who has received this email to register with us.
On 30 May 2022, Nelsons – a Derby-based law firm with branches in Leicester and Nottingham – experienced a cyber-attack. The incident happened when an unauthorised third party gained access to part of Nelson’s systems and successfully copied a quantity of data. The stolen information includes client identity verification documents. This action is now closed.
Last year, web host GoDaddy discovered that it had breached some of its customer data. The GoDaddy data breach happened when hackers accessed one of the company’s databases. The affected databased held the credentials of 1.2 million managed WordPress customers. With more details coming to light about this breach, in August, we urged anyone who had received a notification about the privacy violation to get in touch with us to discuss a potential claim.
In September 2022, we were delighted to announce that we had been shortlisted for ‘Boutique Law Firm of the Year’ at the prestigious British Legal Awards 2022. The honours are “the premier legal awards in the UK” and represent the best of the best within the UK’s legal community.
In October 2022, we were ranked Band 1 for its Group Litigation expertise in the Chambers and Partners UK Guide 2023.
Access our Chambers & Partners UK 2023 profiles, rankings and quotes here.
In October, we applied for a Group Litigation Order against the Police Federation of England & Wales over a 2019 data breach and ransomware attack which targeted its headquarters.
Our firm currently represents over 12,500 officers across all ranks and service areas of the Police Force in relation to the severe data breach and ransomware attack targeting the Police Federation of England & Wales (PFEW) headquarters in 2019.
News of this has been published in MLex, 25 October 2022, and can be found here.
We recognise that our functions and operations have an impact on the environment. In response, we seek not only to reduce the environmental footprint of our own activities, but also the wider impact of dispute resolution. To help advance this aim, in September 2022, we signed the Greener Litigation Pledge.
The Greener Litigation Pledge is a commitment to action by solicitors’ firms, barristers’ chambers, lawtech companies, and other dispute professionals. In signing the Greener Litigation Pledge, we committed to taking active steps to reduce, with a view to minimising, the environmental impact of our practice in England and Wales, and to the reduction of our emissions in line with the objective of restricting global warming to 1.5°C.
Head of Data and Privacy Litigation, Kingsley Hayes, discussed the Department for Work and Pensions, algorithms, and universal credit in relation to the UK government’s plan to publish a White Paper on regulating Artificial Intelligence. Kingsley’s article was published by the British Computer Society, and can be found here.
In October, we were delighted that Legal Director, Eleanor Leedham was nominated for the Rising Star category at the inaugural Women and Diversity in Law Awards 2022. The awards, hosted by The Global Legal Post, celebrate equity and inclusion in the legal profession, and recognise outstanding individuals and teams making the UK legal profession more diverse.
Commenting on the Molly Russell inquest, Eleanor Leedham, explored whether a group action can be built against social media companies for failing to prevent users from viewing harmful content. Eleanor’s comments were published in the Daily Mail print edition, 1 October 2022.
Highly sensitive personal information involving victims of sexual assault has been exposed following a data privacy leak at Suffolk Police. The information exposed in this data breach includes:
According to Suffolk Police, the privacy violation relates to inquiries into sexual offences and offences that occurred in schools which were reported between 1 April 2015 and 31 March 2019.
We launched a group action to help those involved in the Suffolk Police data security failure claim compensation for any distress or harm experienced because of this breach.
If you are involved in the Suffolk Police data breach, or suspect that you might be, contact us immediately. We can help you to make a no-win, no-fee compensation claim for the negligent treatment of your data and the breach of your right to privacy.
In July 2022, South Staffordshire PLC, the parent company of South Staffordshire Water discovered that it had experienced a cyber-attack. When the water company first announced the cyberattack in August 2022, it was reported that the criminals had accessed the personal data of current and former South Staffordshire Water employees.
Since then, South Staffordshire Water has been “working with leading forensic experts to investigate fully what happened”, and in a subsequent statement, the company confirmed that the “incident resulted in unauthorised access to some of the personal data we hold for a subset of our customers.” The affected details are believed to include:
In December, we launched a group action to help those involved in the South Staffordshire Water data security failure claim compensation for any distress or losses experienced because of this breach.
Partner and Head of Data and Privacy Litigation, Kingsley Hayes, commented on how a recent children’s data breach has revealed potential enforcement gaps in the UK, in Global Data Review.
Kingsley’s full comments were published in Global Data Review, 11 November 2022, and can be read here.
When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.
Our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.
We are one of the most experienced multi-claimant law firms in the UK.
We represent clients in group actions with innovation, resources, and expertise.
We work with expert barristers to ensure you get the very best level of legal support available.
We have all the resources and global expertise necessary to take on complicated cases and win.
We have offices in London, Liverpool, Manchester, and Birmingham, and the technology to provide a nationwide service to clients across England & Wales.
We use technology to deliver a better legal experience to our clients.
We work on a no-win, no-fee basis.
We make the process straightforward and hassle-free.
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.