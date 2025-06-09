Amy Haughton is a Partner, Thompsons Solicitors

Human error is often a key factor in cyber attacks, writes ​Amy Haughton

Ask a lawyer about the data breach cases landing on their desk and the majority will share a common theme. The breaches are rarely deliberate or malicious, at least on the part of the data controller, but that is largely irrelevant to determining liability in a compensation case.

Data protection laws are nothing new and seven years after the GDPR took effect in the UK, it is implausible that anyone processing customer information would fail to understand their basic obligation to keep personal data secure. Yet rarely a day goes by without the reporting of some kind of breach, from mis-typed email addresses and documents left on trains, to – as has been especially prominent in recent weeks – cyber attacks.

Marks & Spencer, Co-op and Addias are recent targets of what are often framed as highly sophisticated cyber attacks. This type of crime has emerged as an unfortunate feature of a digital society, but are the consequences for consumers inevitable?

It remains the case that the majority of cyber attacks, while perpetrated by a third party, involve some element of human error on the part of those responsible for the data. Soon after the attack on Marks & Spencer, it was confirmed that the hackers used social-engineering techniques, relying on human error to gain access to their systems. There is no doubt that organisations targeted by cyber attacks are victims of crime but this does not detract from their responsibilities in terms of data protection.

In the UK, a failure to comply with data security obligations can result in regulatory action or a civil compensation claim. The ICO (Information Commissioner’s Office) is the regulatory body with the power to investigate data breaches and take action, including the imposition of significant fines. Generally, enforcement action will only follow a high degree of fault or a failure to take responsibilities seriously – it is a penalty and a deterrent to failing to comply.

Separately, an individual who has suffered harm, whether financial loss or distress, because of an infringement of the GDPR (General Data Protection Regulation) is entitled to compensation. The initial focus is on the infringement, which will often be self-evident, and on how this has affected the individual. The payment of compensation is not intended to punish the organisation and correlates to the harm experienced by the data subject rather than the severity of the failings.

To avoid liability, an organisation must demonstrate that they were not in any way responsible for the event causing harm. This concept will undoubtedly be explored further in time, but it is difficult to see how the defence could apply in situations where a cyber attack only succeeds because of an error made by an organisation or its employees.

While the consequences to an organisation may appear harsh, the compensation right reflects the concern which underlies a stringent data protection framework. Without adequate data security, the potential for harm through misuse of data and identity theft is very real.

To engage in all areas of life, we trust multiple organisations with our information. Cyber attacks may be inevitable, but it should not be accepted that a breach of personal data will always follow. When an organisation fails, however unintentional their action or inaction may be, it is the individual who is put at risk and requires the law to provide a meaningful remedy.