Partner and Head of Data and Privacy Litigation, Kingsley Hayes, comments on how a recent children’s data breach has revealed potential enforcement gaps in the UK, in Global Data Review.
Kingsley’s full comments were published in Global Data Review, 11 November 2022, and can be read here.
“From a purely civil law perspective, victims of this data breach would only be able to seek damages against an existing cyber insurance policy that the company had in place. Given the conduct of this company, it is unlikely that such a policy was ever in place and so civil action against the company would be futile as there would be nobody to pay damages. The victims could apply to restore the company to the register of companies which takes between 3-6 months. They could then bring a claim against the company, however, given it was previously dissolved, there will be no funds/assets to pay damages in the event of a successful claim. If an applicable cyber insurance policy was in place, then the victims could restore the company and the insurer would likely defend the claim. In this scenario, if the victims were successful, the insurer would pay damages.
If a company goes into liquidation and there is a claim to be made, the claimants may write to the registrar of companies to request that the liquidation be put on hold, pending the outcome of a litigation against the company. The registrar will likely place a 6 month hold on the liquidation so that litigation may proceed. If in liquidation the company is still active, the ICO may bring a criminal prosecution against the directors of a company pursuant to s.198 of the Data Protection Act 2018. A prosecution in this scenario would likely fall under s.170 DPA 18 which relates to the unlawful obtaining of personal data. It is however, unclear whether the ICO can bring a prosecution against a former director of a now dissolved company.
The ICO does have a track record for taking action against Directors after the dissolution of a company or its liquidation. They did so in 2019 with an action against a David Cullen of No1 Accident Claims. The ICO has the power to prosecute and is on record as stating that it will “push the boundaries” in order to protect “individuals rights” where data is misused.“