Hardly a week goes by without news of another data breach. And today we have more news on the scale of Equifax’s data breach. So what should we do about it?
Last week, Yahoo revealed that it had been the victim of the largest data breach in history, with hackers able to gain access to information from up to three billion Yahoo accounts.
That’s nearly half the population of the world, and even though it’s likely that some individuals will own more than one of those accounts and many will be dormant, it will still be many hundreds of millions of people that are affected.
And now we have the latest details in the on-going Equifax breach with over 690,000 people’s phone numbers, email address, driving licence numbers, Equifax membership details and passwords have been compromised in a cyber-attack. That’s in addition to 14.5 million records where only names and dates of birth were made vulnerable.
Equifax has confirmed that it will be writing to all of the victims – assuming that it has up-to-date details. It will be offering free access to its identity protection service, Equifax Protect, to those who had their email addresses, driving license number or online membership details compromised. And for those who had their phone number accessed will be offered a leading identity monitoring service for free.
People are understandably concerned that when they hand their personal information over to a company, that company will keep it safe. However, as we’ve seen, this isn’t always the case.
If you were a victim of a serious data breach which meant your personal information was available for others to see, what would you do?
While the law is clear that you have the right to seek redress from the company who has lost or misused your data; actually getting redress is another matter.
In the first instance you could go to the company, but if the offer isn’t good enough or it doesn’t offer anything at all, where do you go?
You might expect there to be some sort of ombudsman or even the regulator to intervene on your behalf. But for victims of data breaches, the current system means the next step is to take the company to court yourself. For many, this would signal the end of any redress claim.
The fact that you need to go to court is a practical barrier, as understandably most are reluctant to become embroiled in a potentially lengthy and costly legal process.
And in some cases, you may not even know exactly where your data was lost and will struggle to build the evidence needed. In the case of Equifax, many of those affected will have no idea their data has been lost until the letter comes through the door – this could be simply that they don’t recall using the service, but also if a credit check has been run on them by a different company.
When there’s a data breach we believe people should have better ways to access their right to get redress.
Where a significant breach involving lots of people has taken place, we think the most appropriate way to get redress would be to allow independent organisations acting in the public interest to take action collectively on behalf of all people who have been affected.
Collective redress doesn’t just improve the process, but it also cuts costs and court time and makes it easier for businesses as all claims are dealt with at once. Companies that treat their customers fairly when things go wrong have absolutely nothing to fear and much to gain from an effective redress regime.
This collective redress action is something that we want the government to introduce for data breaches through the new Data Protection Bill. We want the government to amend the Bill to enable organisations, like Which?, to take action on behalf of all consumers.
Has your data been lost before? Would you be prepared to take a company to court if your data had been lost?