Are employees responsible for cybersecurity errors and data protection breaches?

In many cases, data protection breaches arise as a result of human error. A CybSafe analysis of data breaches reported to the ICO found that 90% of UK data breaches in 2019 were caused by user mistakes. The employees responsible for cybersecurity would, therefore, seem to be failing to adhere to data protection law, but there is much more to it than that.

Despite the high incidence of human error, it is employers who bear the ultimate responsibility for upholding data protection at their companies. This can mean that, when a data breach occurs, organisations may be liable to pay compensation. If you have been affected by a data breach caused by an employee, you can still have every right to make a claim and recover compensation from the organisation as a whole.

Employers, employees and cybersecurity

When a data breach occurs, it can often arise from the most basic of employee errors. We have dealt with numerous data breaches in which a few extra clicks may have prevented the incidents from occurring. For example, we have seen email data breaches in council and healthcare organisations in which the sender has failed to anonymise the recipients of the email by using the blind carbon copy (Bcc) feature. Really, this dangerous method should be avoided anyway.

Other incidents have involved unintentional publications of private documents and spreadsheets. Again, these are easily avoidable.

It is all too easy to blame the employees responsible for cybersecurity incidents like these, as their lack of caution has contributed toward a major breach of privacy. However, it may be that employers have failed to properly educate their employees on data protection, resulting in needless data breaches taking place.

Data breaches provoked by employees responsible for cybersecurity  

There are a number of high-profile data breaches that demonstrate the joint role of employers and employees, where both can be responsible for cybersecurity incidents due to failures in their own duties.

For example, Virgin Media claimed that its data breach that exposed the personal information of around 900,000 victims was caused by an employee who configured a database incorrectly. However, one employee cannot take sole responsibility in our view, and the mistake was not noticed until ten months had passed, suggesting that the company as whole did not have proper procedures for setting out how often systems should be checked and tested.

The Equifax data breach similarly arose due to a known system insecurity not being patched when it needed to be. In this case, it could again be argued that the heads of the company were ultimately responsible for managing cybersecurity updates that could have prevented the data breach if they had been made in time.

Making your data breach claim

Regardless of the circumstances in which the data breach arose, if you have been affected by a breach of your privacy, you could be entitled to claim compensation. The employers and employees responsible for cybersecurity incidents and data breaches deserve to be held accountable, and claiming compensation from the organisation as a whole can help to teach them a lesson about the importance of strong data protection measures.

In terms of a data breach compensation claim amount, UK victims may be eligible to recover thousands or even tens of thousands of pounds, depending on the degree of distress they have suffered and the amount of financial losses or expenses they have incurred as a result of the data breach.

Do not hesitate to contact us for free, no-obligation advice on your potential compensation claim.

Hampshire police officer barred from service for accessing private data without authorisation

Postbox theft causes data breach at Hellesdon Medical Practice