Data leaks from outsourcing

For businesses with expanding opportunities and responsibilities, it often becomes necessary to hire external providers and suppliers to ensure the efficiency of company operations. Data leaks from outsourcing can unfortunately occur when these external providers lapse in protecting the information held by the company they work with.

However, when a data leak does arise, it is not acceptable for the affected company to simply shift the blame onto an external supplier or provider. Ultimately, the responsibility to protect the information of customers, members and employees falls on the organisation itself as a result of the legal duties that they must adhere to. Even in cases where an external provider caused the leak, the victims can still be eligible to claim compensation either way.

Cases of data leaks from outsourcing

Numerous notable data leaks from outsourcing services have reached the national news in recent times. One of the most recent cases was that of the Now: Pensions data breach, for which we already act for a number of claimants. In the data leak, 30,000 customers had their information exposed from the pension provider after an agent described as a “third-party contractor” uploaded names, birth dates postal and email addresses, and National Insurance numbers to an online public forum, seemingly in error.

A similar incident also recently occurred at Wentworth Golf Club, in which the member login system provided by external company Jonas Systems was accessed by an unauthorised third party, who downloaded a file containing members’ personal data. We are also representing a number of victims for this breach.

Where does responsibility lie?

In both cases described above, the contractors were specifically permitted to perform data handling. As such, it would be expected that they should be well-versed in basic cybersecurity and data protection procedures. However, if Now: Pensions and Wentworth Gold Club made these assumptions without appropriate checks and agreements in place, they can be found liable for their inaction. Such important data protection requirements should never be taken for granted.

The responsibility in both cases can fall on to the organisation experiencing the hack or leak, as they are the ones with the duty to those that they hold information for. In accordance with the GDPR, every organisation has a role to play in implementing sufficient cybersecurity and data protection practices, and no one can afford to turn a blind eye to external providers and assume they will do the same.

In order to prevent data leaks from outsourcing, data protection should always be on the agenda when a company is considering engaging the services of an external supplier. Data security should be consistently reviewed over the course of any business collaboration.

Making a data breach claim

All organisations involved can be held responsible for data leaks from outsourcing, so you can be entitled to make a claim if your right to data protection is breached.

While a breached company may try to put an external provider in the line of fire, this does not simply absolve them of liability.

If you wish to make an enquiry about a potential data breach claim, please do not hesitate to contact us for free, no-obligation advice. We are specialists in data breach law and understand how damaging the effects can be for the victims, so we are here to support those affected to achieve the justice they deserve.

Blackpool Council data leak

Derbyshire police officer evades dismissal over data protection breach