Media Coverage

Kingsley Hayes comments on the gap in data breach enforcement in Global Data Review

Partner and Head of Data and Privacy Litigation, Kingsley Hayes, comments on how a recent children’s data breach has revealed potential enforcement gaps in the UK, in Global Data Review.

Kingsley’s full comments were published in Global Data Review, 11 November 2022, and can be read here.

From a purely civil law perspective, victims of this data breach would only be able to seek damages against an existing cyber insurance policy that the company had in place. Given the conduct of this company, it is unlikely that such a policy was ever in place and so civil action against the company would be futile as there would be nobody to pay damages. The victims could apply to restore the company to the register of companies which takes between 3-6 months. They could then bring a claim against the company, however, given it was previously dissolved, there will be no funds/assets to pay damages in the event of a successful claim. If an applicable cyber insurance policy was in place, then the victims could restore the company and the insurer would likely defend the claim. In this scenario, if the victims were successful, the insurer would pay damages.

If a company goes into liquidation and there is a claim to be made, the claimants may write to the registrar of companies to request that the liquidation be put on hold, pending the outcome of a litigation against the company. The registrar will likely place a 6 month hold on the liquidation so that litigation may proceed. If in liquidation the company is still active, the ICO may bring a criminal prosecution against the directors of a company pursuant to s.198 of the Data Protection Act 2018. A prosecution in this scenario would likely fall under s.170 DPA 18 which relates to the unlawful obtaining of personal data. It is however, unclear whether the ICO can bring a prosecution against a former director of a now dissolved company.

The ICO does have a track record for taking action against Directors after the dissolution of a company or its liquidation. They did so in 2019 with an action against a David Cullen of No1 Accident Claims. The ICO has the power to prosecute and is on record as stating that it will “push the boundaries” in order to protect “individuals rights” where data is misused.

Maltin PR

Recent Posts

KP Law Highly Commended at the Modern Law Awards 2024

We are very pleased to share that KP Law has been Highly Commended at the… Read More

10 months ago

Keller Postman UK merges with Lanier, Longstaff, Hedar & Roberts to form specialist collective redress law firm KP Law Limited

Today Keller Postman UK Limited and Lanier, Longstaff, Hedar & Roberts LLP announce their merger… Read More

10 months ago

What is group litigation?

Group litigation, also known as class action or group legal action, is a process where… Read More

10 months ago

What’s been happening in January 2024?

What’s been happening in January 2024? In our regular monthly update, we share the latest… Read More

10 months ago

What is talcum powder cancer?

What is talcum powder cancer? Here, we explain what talcum powder cancer refers to and… Read More

11 months ago

Lucy Burrows comments on 23andMe’s response to its data breach in ITPro

Associate Lucy Burrows provides insight on the 23andMe data breach and highlights the danger of… Read More

12 months ago