Out-Law News 2 min. read
27 Oct 2015, 3:50 pm
On Monday, the UK's culture minister Ed Vaizey told MPs in the House of Commons that it would be "a matter for the Information Commissioner’s Office and TalkTalk to decide on any appropriate levels of compensation” due to customers in relation to the data breach experienced by the telecoms provider.
TalkTalk last week reported that it had been hit by a "significant and sustained cyber-attack" and that some personal data it held may have been compromised. The company said it had been the victim of criminal activity and that it has not breached the Data Protection Act. The Act requires that data controllers implement "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
A 15 year old boy was arrested in Northern Ireland by the Metropolitan (Met) Police on Monday on suspicion of Computer Misuse Act offences in connection with the cyber attack on TalkTalk. The boy has subsequently been bailed, the Met said.
Following Vaizey's comments, a spokesperson for the ICO told Out-Law.com that it was not responsible for setting consumer compensation levels in cases that concern breaches of the Data Protection Act.
"As an individual you may go to court to claim compensation for damage or distress caused by any organisation if they have breached the Data Protection Act - the information commissioner cannot award compensation," the spokesperson said, highlighting further guidance the ICO has issued on the topic of compensation for data protection law breaches.
Under the Data Protection Act data subjects have a right to claim compensation if they suffer damage as a result of violations of a section of the Act by organisations that hold their personal data. They may also be entitled to compensation from those data controllers if they suffer distress.
Organisations do have a defence to this right to compensation if they can "prove that [they] had taken such care as in all the circumstances was reasonably required to comply with the requirement [that it is alleged to have breached]".
Until recently it has been the generally accepted position that consumers that do not incur any financial loss from a breach of data protection laws by businesses are not entitled to compensation for that breach. However, a ruling earlier this year by the Court of Appeal altered that conventional wisdom, meaning that people that experience distress, but no financial harm, as a result of a data breach can raise a compensation claim. That judgment is, however, the subject of an appeal before the Supreme Court.
In response to calls from one MP to strengthen the ICO's powers to sanction companies for data security failings, Vaizey said he was "open to suggestions" and would meet UK information commissioner Christopher Graham "to look at what further changes may be needed in the light of this [TalkTalk] data breach". The Department for Culture, Media and Sport (DCMS) was handed responsibility for setting UK data protection policy in September.
The ICO currently has the power to issue fines of up to £500,000 to organisations responsible for serious breaches of the Data Protection Act. Under proposed reforms to EU data protection laws, organisations could face fines of up to 2% of their global annual turnover, if plans backed by the EU's Council of Ministers are voted through.