Media Coverage

Kingsley Hayes comments on the gap in data breach enforcement in Global Data Review

Partner and Head of Data and Privacy Litigation, Kingsley Hayes, comments on how a recent children’s data breach has revealed potential enforcement gaps in the UK, in Global Data Review.

Kingsley’s full comments were published in Global Data Review, 11 November 2022, and can be read here.

From a purely civil law perspective, victims of this data breach would only be able to seek damages against an existing cyber insurance policy that the company had in place. Given the conduct of this company, it is unlikely that such a policy was ever in place and so civil action against the company would be futile as there would be nobody to pay damages. The victims could apply to restore the company to the register of companies which takes between 3-6 months. They could then bring a claim against the company, however, given it was previously dissolved, there will be no funds/assets to pay damages in the event of a successful claim. If an applicable cyber insurance policy was in place, then the victims could restore the company and the insurer would likely defend the claim. In this scenario, if the victims were successful, the insurer would pay damages.

If a company goes into liquidation and there is a claim to be made, the claimants may write to the registrar of companies to request that the liquidation be put on hold, pending the outcome of a litigation against the company. The registrar will likely place a 6 month hold on the liquidation so that litigation may proceed. If in liquidation the company is still active, the ICO may bring a criminal prosecution against the directors of a company pursuant to s.198 of the Data Protection Act 2018. A prosecution in this scenario would likely fall under s.170 DPA 18 which relates to the unlawful obtaining of personal data. It is however, unclear whether the ICO can bring a prosecution against a former director of a now dissolved company.

The ICO does have a track record for taking action against Directors after the dissolution of a company or its liquidation. They did so in 2019 with an action against a David Cullen of No1 Accident Claims. The ICO has the power to prosecute and is on record as stating that it will “push the boundaries” in order to protect “individuals rights” where data is misused.

Maltin PR

Recent Posts

Latest Data Breach Round-Up – June 2024

In our regular update, we provide a roundup of some of the data breaches and… Read More

6 months ago

Join our MOVEit/ Zellis Data Breach Action

We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More

6 months ago

One year on – the extent of the MOVEit data hack is just becoming clear

The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More

6 months ago

Join our 23andMe Data Breach Action

We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More

6 months ago

ICO and Canadian counterpart to investigate 23andMe data breach

The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More

6 months ago

Join Our Capita Data Breach Action

We have launched a group action against Capita. Group actions can be a powerful tool… Read More

6 months ago