Partner and Head of Data and Privacy Litigation, Kingsley Hayes, comments on how a recent children’s data breach has revealed potential enforcement gaps in the UK, in Global Data Review.
Kingsley’s full comments were published in Global Data Review, 11 November 2022, and can be read here.
“From a purely civil law perspective, victims of this data breach would only be able to seek damages against an existing cyber insurance policy that the company had in place. Given the conduct of this company, it is unlikely that such a policy was ever in place and so civil action against the company would be futile as there would be nobody to pay damages. The victims could apply to restore the company to the register of companies which takes between 3-6 months. They could then bring a claim against the company, however, given it was previously dissolved, there will be no funds/assets to pay damages in the event of a successful claim. If an applicable cyber insurance policy was in place, then the victims could restore the company and the insurer would likely defend the claim. In this scenario, if the victims were successful, the insurer would pay damages.
If a company goes into liquidation and there is a claim to be made, the claimants may write to the registrar of companies to request that the liquidation be put on hold, pending the outcome of a litigation against the company. The registrar will likely place a 6 month hold on the liquidation so that litigation may proceed. If in liquidation the company is still active, the ICO may bring a criminal prosecution against the directors of a company pursuant to s.198 of the Data Protection Act 2018. A prosecution in this scenario would likely fall under s.170 DPA 18 which relates to the unlawful obtaining of personal data. It is however, unclear whether the ICO can bring a prosecution against a former director of a now dissolved company.
The ICO does have a track record for taking action against Directors after the dissolution of a company or its liquidation. They did so in 2019 with an action against a David Cullen of No1 Accident Claims. The ICO has the power to prosecute and is on record as stating that it will “push the boundaries” in order to protect “individuals rights” where data is misused.“
We have launched a group action against Capita. Group actions can be a powerful tool… Read More
Here are some of the questions our data protection experts have been asked about our… Read More
We have launched a group action against 2plan. Group actions can be a powerful tool… Read More
What happened in the 2plan data breach? Find out in our latest blog and claim… Read More
We have launched a group action against Southern Water. Group actions can be a powerful… Read More
Here are some of the questions we have been asked about our Southern Water data… Read More