Breaches, fraud and liability

Breaches, fraud and liability

By Steven Orpwood, Senior Consulant and DPO

So, here’s a scenario. The online travel agency I booked my holiday with has been breached. They correctly informed the ICO within 72 hours, and because it presented a clear risk to me, due to unencrypted credit card details, they informed me of the issue and their remedial actions. Financially, I think I’m ok, since my card has been cancelled and reissued. This is surely the end of the story; or is it?

Well, no. Because as well as card details, there was personal  information that can’t be changed, and also passport details, for visa purposes. I got a new passport a year ago, so it has 9 years until it expires. Should I be worried?

In short, yes. It is possible for such information to be used to obtain genuine documents, such as driving licences and new passports, which can lead to serious ID fraud risk, identity theft, potentially leaving me fighting bills that are not mine for many years to come. This risk is not easily mitigated. I can keep an eye on my financial records and check my credit scores, but if the act isn’t committed immediately, who is liable and is there a limit to my right to legal recourse?

Liability between data controllers and processors is an increasingly hotly contested issue due to the GDPR. So whilst it is possible for me to raise a civil litigation to claim compensation for financial loss or emotional distress, there is the issue of determining who is to blame. According to the GDPR, assuming there has been a good level of due diligence from the data controller, there is an agreed level of security between the controller and processor, and the correct contractual terms are in place, fines will be apportioned according to the degree of responsibility of the controller or processor – Article 83(2d) – unless one party is entirely blameless – Article 82(3).

But while this may reassure me in the short term, if a fraudster lays low for a few years, collecting data, and then perpetrates a fraud, recourse later on may not be so easy.

As time moves on, and in the course of normal life, I will have shared my data with more institutions and people, for example, banks, insurance firms and mobile phone providers, who do not require sight of the physical document, and it will become difficult to prove that a breach many years previously is the basis of the fraud committed against me now. And even if I do establish the source of the fraud, is there any limitation on litigation? If I were to litigate on the basis of negligence in respect of latent damage, I would have to do this within six years of the date the breach occurred, or three years from the date on which I had knowledge of the fraud, whichever is the later, and both of these are subject to a maximum period 15 years from the breach.

The one thing we can be increasingly sure of is the need to be vigilant about the data you share, and what’s more, keep a record of those you share it with, especially important government issued ID documents. And if you think this is unlikely to occur to you, it’s worth remembering that fraudsters drive security, so breaches will occur, and your data, and identity, will be at risk.


To find out about AiM’s GDPR services, including training, discovery reviews, interim DPOs and GDPR compliance technology solutions, click here.


To read more about data breaches:

Data breaches, what’s the issue… (a hypothetical future)

Data breaches, what’s the issue… part 2

Insurers covering the cost of data breaches?