Ashley Madison, Sony, TalkTalk and now, perhaps most shockingly, VTech. The toy giant, most notable for manufacturing digital devices for young children, was hit by a sizable cyber attack last month. It is now believed that the personal information of more than six million children – including names, dates of birth, details of gender, images of children and even and audio recordings – were stolen.
Cyber-security experts have accused VTech of not implementing appropriate measures against a cyber attack. One told BBC News that the company’s practices in protecting customer data were “unforgivable”.
The nature of this latest data breach is shocking, not least to those parents who have purchased a VTech tablet or camera for their child.
2015 has been the year that cyber-crime hit new and unprecedented heights. Where once such incidents were considered rare occurrences brought about by shadowy criminal organisations, consecutive high profile hacks have hardened public opinion against the companies affected. Many now argue that large consumer brands are failing in their obligation to protect customer data.
This was particularly true of the high-profile TalkTalk hack, where the company was inundated with calls from angry customers looking to cancel their contract. Some accused TalkTalk of breaking their duty of care. Others said that TalkTalk had failed to honour its contract with customers, neglecting its duty to protect and preserve its customer’s information.
TalkTalk stood firm, disputing these claims and imposing hefty termination fees unless a specific customer could prove financial loss as a result of the hack. The reception from customers was predictably frosty.
Unfortunately for consumers, such as those affected by the VTech hack, this stance is entirely consistent with the law.
The position outlined by the Data Protection Act is that a consumer can bring a claim for damages under ‘section 13’, but will only generally get them if that person had suffered a financial loss as a result of the breach.
This year, the high profile Google v Vidal-Hall case set a precedent that claims for damages in cases of 'distress' caused as a result of a breach were viable, rather than purely on financial loss. However, there have been very few litigated cases on this point since then, likely because of the low value of any damages that might be awarded. In Halliday v Creation Consumer Finance the court awarded damages of just £750, for distress, following an incorrect entry being made on the Claimant's credit record. This error did effect the individual’s credit score, but did not cause any quantifiable financial loss.
Despite the strength of feeling that an individual might have when their personal data is compromised in this way, the potential damages for the mere occurrence of a breach - where there is no effect on credit, or unsolicited correspondence as a result of the breach - will be very small indeed.
The data controller – such as TalkTalk or VTech - can defend a claim if they can show that they took reasonable care to comply with the Act. Therefore unless the data controller has breached that duty and done something wrong, they will not be liable. Usually the Information Commissioner Office investigation into the breach will assist in finding of fault, rather than something that could not have reasonably been prevented.
In the current climate, it is no longer a case of if a data controller will suffer a cyber-attack, but when. Even if all reasonable measures are taken, there could still be an attack, and a subsequent breach, for which a consumer would not be entitled to compensation.
In the case of VTech, it is perhaps too early to say if the company employed all reasonable measures to avoid data being stolen in this way. The existing law is being tested to greater extents of late, but when dealing with such small sums of compensation, a single consumer is likely to be dissuaded from pursuing litigation given the legal costs they would be expected to pay.