22.We received written evidence from TalkTalk customers who had been affected by data breaches, but not directly affected by the 2015 cyber-attack. One customer told us that it had taken TalkTalk over 100 days to inform customers about a third party data breach that occurred in 2014. This customer believes that the delay in informing customers left them vulnerable to scams and they suffered financially as a consequence. In further written evidence, another TalkTalk customer complained that they had not been informed at all about a 2014 data breach and they subsequently lost money when scammers pretended to be from TalkTalk and claimed to be following up on a hack.
23.We welcome Dido Harding’s assurances that TalkTalk wishes to hear from any customer who has directly lost money as a direct consequence of the cyber-attack and that any customer who suffered financial losses as a result of the cyber-attack would be able to terminate their contact early. Mobile and telecoms contracts often do not make it clear if financial losses as a result of a data breach would be sufficient grounds to terminate a contract early; written evidence from consumers confirmed this. Telecoms companies should clarify this point in simple language for consumers, so that they can make an informed choice when choosing a service or product.
24.We remain concerned that consumer redress following a data breach is still too difficult. At present an individual can claim for compensation for damages caused as a result of a breach only by going to court. As the Information Commissioner stated in oral evidence:
I have responsibilities to deal with the company as a whole. What I cannot do is to act on behalf of individual constituents and award compensation. At the moment, that involves going to law and that will involve lawyers.
25.Compensation for distress without evidence of financial loss under the Data Protection Act is currently one area under consideration by the Supreme Court, in the Google v Vidal Hall case. We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process. It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process.
38 Dido Harding oral evidence Q40 and Q45
39 Dido Harding oral evidence Q49
41 ICO oral evidence Q179
17 June 2016