Data Breach Compensation Culture?

Our GDPR Helpdesk a call or an email away

If your personal data has been breached, what can you do about it? Take appropriate security measures, but increasingly the answer is to claim compensation.

Under the 1998 Data Protection Act, a person could bring a case to recover losses due to a data breach. Depending upon the scale of your loss, this could be a major task for a small return.

The GDPR has changed this picture. It has added the concept of claiming compensation for the distress caused by a breach in addition to direct losses. Indeed, there do not need to be any direct losses to establish a claim.

When ‘Which’ magazine runs articles on claiming compensation for a data breach, the concept has entered the mainstream. How will this work in practice and what might the impacts on data controllers be?

A history lesson from personal injury claims

In the late 1990’s, a decision was taken to stop providing legal aid for personal injury claims. Instead the ‘no win, no fee’ model that had been operating in the USA would replace state funded claims.

Although many individual firms of solicitors and groups still provide ‘no win, no fee’ services the market has been largely taken by claims management companies. Despite some early issues (The Accident Group going into Administration in 2003 for example), claims management companies now form an accepted part of the landscape.

The claims management firms may instruct solicitors, but are not law firms. From an economic point of view, taking a case to court is the least preferred solution. It’s likely that a settlement will take place without the case ever going near a courtroom.

How do the claims get paid? Most often this type of claim is covered by public liability insurance. Businesses usually have this insurance and you’ll have equivalent cover through your household and car policies.

More recently, with the personal injury market becoming saturated, we’ve seen aggressive marketing of claims in relation to payment protection insurance mis-selling claims, especially with the deadline for claims rapidly approaching.

Data breaches – A new opportunity

Under the GDPR there is still an expectation that a claim for compensation will come to court. Claimants are encouraged to make a complaint to the ICO first. A determination by the ICO that a data controller has not met their obligations to protect the claimants’ personal data is a very significant advantage.

The prospect of more generous compensation after a data breach means that we’re starting to see a crop of companies offering to seek compensation. In the UK most of these are based on existing firms of solicitors and are taking the ‘no win no fee’ approach. Try putting ‘data breach compensation’ into your favourite search engine to see the sort of services on offer.

In some very high-profile cases specialist operations are forming around the breach. The best example of this relates to the airline Cathay Pacific, which announced in October 2018 that it had experienced a major breach affecting up to 9.4 million customers. Within days of the announcement websites like was offering affected individuals the chance to join a group seeking compensation.

Market consolidation

If we see a series of large compensation payments, then it’s very likely that we will also see consolidation in the claims industry and the rise of the data breach claims management firm. We can expect a move towards ‘settlement out of court’ because of the issues of timescale and cost. At the end of the day, it’s easier to pay to make the issue go away.

In the same way that the claims industry is gathering, so is the insurance side of the equation. Try searching for ‘Data Breach Insurance’ and you’ll find that business insurance giant Hiscox is already in the market along with lots of others. There is a strong focus on cyber breaches at this point, but that just aligns with public perception of what a data breach looks like.

What does it all mean?

Right now, with a high degree of uncertainty following the introduction of the GDPR compensation for data breaches looks like an attractive opportunity. Big breaches tend to come from major corporations with deep pockets. This makes both breach claims and breach insurance good bets for growth markets.

For data controllers outside the corporate sector, the likely outcome is that in addition to the costs of compliance, you may need to add the cost of breach insurance in case you find yourself in the firing line too.