Firms in danger where data breach causes distress
Hot on the heels of the launch of the pensions wave of the FCA's ScamSmart (as discussed by Sam's post), last Sunday a Daily Mail expose revealed that private pension data is being passed on by data firms without their customers' knowledge.
Fraudsters ultimately got hold of this pensions data, cold calling investors and targeting their pension pots- pension pots which will be even more vulnerable after 6 April. So serious were these claims that the Information Commissioner's Office has now launched an investigation.
It is not clear how the data firms got hold of this sensitive pension data, but advice firms should make sure they have robust procedures in place to prevent, and deal with, data leaks. This is particularly so in light of the recent Vidal Hall case Vidal-Hall and others –v– Google Inc  EWHC 13 (QB) where the Court of Appeal confirmed that:
• misuse of private information is a tort;
• claimants may recover damages under the Data Protection Act 1998 (the "DPA") for non-pecuniary losses; and
• it is strongly arguable that "browser generated information" collected via cookies may be 'personal data'
The recovery of compensation for non-pecuniary losses will have the most obvious impact for data protection practitioners like advice firms. This case means that individual data subjects may now seek compensation for breaches of the DPA purely by asserting that they have suffered 'distress'- even if they have not actually suffered any financial loss.
So in the scenario uncovered by the Daily Mail, if the data leak can be traced back to the advice firm, then a data subject who received cold calls from a fraudster could claim against that advice firm for their distress, even if they didn't lose money.
The courts' approach to awards in 'distress-only' cases remains to be seen- the data subject's claim may not succeed, or awards may be nominal- but the mere possibility of such cases may prove an unwelcome distraction for advice firms.
FOS has long awarded redress for "non-financial loss", but we expect that the Vidal Hall judgment will result in an increase in the number of civil actions brought by individuals under the DPA, and the legal resources expended by firms in fighting them. Claims could be brought by individual investors, or by a group of investors (as in the Vidal Hall case), probably coordinated by claims management companies. We also expect that 'distress' claims might routinely be added to wider advice and promotion claims.
As a result, it is more important than ever to guard against breaches of the DPA, even those which may previously have been seen as 'low-level' risk.
Readers interested in a technical discussion of the Google case might be interested in our Privacy team's recent blog post.