Latest news with #ThompsonsSolicitors
Scotsman
2 days ago
- Business
- Scotsman
Why data breach victims deserve compensation
Amy Haughton is a Partner, Thompsons Solicitors Human error is often a key factor in cyber attacks, writes Amy Haughton Sign up to our daily newsletter – Regular news stories and round-ups from around Scotland direct to your inbox Sign up Thank you for signing up! Did you know with a Digital Subscription to The Scotsman, you can get unlimited access to the website including our premium content, as well as benefiting from fewer ads, loyalty rewards and much more. Learn More Sorry, there seem to be some issues. Please try again later. Submitting... Ask a lawyer about the data breach cases landing on their desk and the majority will share a common theme. The breaches are rarely deliberate or malicious, at least on the part of the data controller, but that is largely irrelevant to determining liability in a compensation case. Data protection laws are nothing new and seven years after the GDPR took effect in the UK, it is implausible that anyone processing customer information would fail to understand their basic obligation to keep personal data secure. Yet rarely a day goes by without the reporting of some kind of breach, from mis-typed email addresses and documents left on trains, to – as has been especially prominent in recent weeks – cyber attacks. Advertisement Hide Ad Advertisement Hide Ad Marks & Spencer, Co-op and Addias are recent targets of what are often framed as highly sophisticated cyber attacks. This type of crime has emerged as an unfortunate feature of a digital society, but are the consequences for consumers inevitable? It remains the case that the majority of cyber attacks, while perpetrated by a third party, involve some element of human error on the part of those responsible for the data. Soon after the attack on Marks & Spencer, it was confirmed that the hackers used social-engineering techniques, relying on human error to gain access to their systems. There is no doubt that organisations targeted by cyber attacks are victims of crime but this does not detract from their responsibilities in terms of data protection. In the UK, a failure to comply with data security obligations can result in regulatory action or a civil compensation claim. The ICO (Information Commissioner's Office) is the regulatory body with the power to investigate data breaches and take action, including the imposition of significant fines. Generally, enforcement action will only follow a high degree of fault or a failure to take responsibilities seriously – it is a penalty and a deterrent to failing to comply. Separately, an individual who has suffered harm, whether financial loss or distress, because of an infringement of the GDPR (General Data Protection Regulation) is entitled to compensation. The initial focus is on the infringement, which will often be self-evident, and on how this has affected the individual. The payment of compensation is not intended to punish the organisation and correlates to the harm experienced by the data subject rather than the severity of the failings. Advertisement Hide Ad Advertisement Hide Ad To avoid liability, an organisation must demonstrate that they were not in any way responsible for the event causing harm. This concept will undoubtedly be explored further in time, but it is difficult to see how the defence could apply in situations where a cyber attack only succeeds because of an error made by an organisation or its employees. While the consequences to an organisation may appear harsh, the compensation right reflects the concern which underlies a stringent data protection framework. Without adequate data security, the potential for harm through misuse of data and identity theft is very real. To engage in all areas of life, we trust multiple organisations with our information. Cyber attacks may be inevitable, but it should not be accepted that a breach of personal data will always follow. When an organisation fails, however unintentional their action or inaction may be, it is the individual who is put at risk and requires the law to provide a meaningful remedy.
STV News
7 days ago
- Business
- STV News
M&S faces 'unprecedented' customer lawsuit over cyberattack data breach
M&S is facing an 'unprecedented' class action lawsuit from Scottish law firm Thompsons Solicitors as a result of the cyber attack which affected their operations more than a month ago. Scottish customers who had their data stolen as part of a cyber attack that caused widespread disruption across the retailer's operations are being encouraged to join the claim. Last month M&S admitted to customers their personal information may have been stolen as a result of the cyberattack. M&S are still unable to take online orders and are alerting customers in app and online that products are only available to browse. / Credit: PA In a statement at the time, the retailer said: 'Unfortunately the nature of the incident means some personal customer data has been taken. 'Importantly, there is no evidence that this data has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.' Customers were prompted to reset their password though the store assured customers this was only for 'extra peace of mind.' The theft of customer data, while not an immediate concern on its own, does open up customers to a greater risk of fraud and scams with people either posing as M&S or using the stolen data to feign knowledge of the customer. Thompsons Solicitors says customers joining the legal claim could be entitled to compensation for this increased risk as well as financial losses (now or in the future), distress, anxiety, and time spent resolving issues or securing accounts. Speaking to ITV News, senior partner Patrick Mcguire, said: 'The clients who have joined our class action against Marks and Spencers have done so because their valuable confidential personal details were stolen. 'It was the responsibility of M&S to protect that information and they failed completely to do so. They have breached data regulations and caused distress to our clients a significant number of whom have already been the victims of attempted scams.' Thompsons Solicitors say more than 350 people have joined the class action so far, adding the level of response has been 'unprecedented' for a case of its type in Scotland. In response, M&S told ITV News: 'We communicated to our customers as soon as we could and told them that the data taken does not include any useable card or payment details, or account passwords. M&S does not hold full card details on its systems.' M&S say they 'have not received any claims.' M&S is still struggling to restore full operations after a cyber attack left them unable to take contactless payments, handle click and collect orders, keep shelves stocked and take online orders. Last month the retailer admitted the attack could cost as much as £300m, with these latest legal troubles only adding to the company's difficulties. Speaking to ITV News, retail and PR expert Rhea Freeman, said regardless of this claim's outcome, 'any time a brand is involved in a lawsuit they're receiving publicity for the wrong reasons.' Despite this, she believes the long-term damage to M&S' brand will be minimal. 'I think the way that M&S dealt with the issue from a PR perspective – keeping customers informed, messages from the CEO, explaining the steps they were taking, and being fully transparent, means that the brand damage will be less. 'The issue that's being raised with the lawsuit has been well documented – so there's no shock factor. 'Many people feel sorry for M&S and their team as they have worked so hard and tried to balance issues with customer care and satisfaction, so whilst this definitely isn't good for the brand, I think it could have been a lot worse from a brand image point of view.' Outside of any potential lawsuits, Rhea says how M&S continues to 'nurture the customers they have,' keeping them informed and 'acknowledging the inconvenience,' will go a long way to mitigating potential damage to the brand. Get all the latest news from around the country Follow STV News Scan the QR code on your mobile device for all the latest news from around the country
ITV News
03-06-2025
- Business
- ITV News
M&S faces 'unprecedented' customer lawsuit over cyberattack data breach
M&S is facing an "unprecendented" class action lawsuit from Scottish law firm Thompsons Solicitors as a result of the cyber attack which affected their operations more than a month ago. Scottish customers who had their data stolen as part of a cyber attack that caused widespread disruption across the retailer's operations are being encouraged to join the claim. Last month M&S admitted to customers their personal information may have been stolen as a result of the cyberattack. In a statement at the time, the retailer said: "Unfortunately the nature of the incident means some personal customer data has been taken. "Importantly, there is no evidence that this data has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action." Customers were prompted to reset their password though the store assured customers this was only for "extra peace of mind." M&S reveals hackers accessed customer data Marks & Spencer blames 'human error' as cyber attack set to cost £300m The theft of customer data, while not an immediate concern on its own, does open up customers to a greater risk of fraud and scams with people either posing as M&S or using the stolen data to feign knowledge of the customer. Thompsons Solicitors says customers joining the legal claim could be entitled to compensation for this increased risk as well as financial losses (now or in the future), distress, anxiety, and time spent resolving issues or securing accounts. Speaking to ITV News, senior partner Patrick Mcguire, said: "The clients who have joined our class action against Marks and Spencers have done so because their valuable confidential personal details were stolen. "It was the responsibility of M&S to protect that information and they failed completely to do so. They have breached data regulations and caused distress to our clients a significant number of whom have already been the victims of attempted scams." Thompsons Solicitors say more than 350 people have joined the class action so far, adding the level of response has been "unprecedented" for a case of its type in Scotland. In response, M&S told ITV News: "We communicated to our customers as soon as we could and told them that the data taken does not include any useable card or payment details, or account passwords. M&S does not hold full card details on its systems." M&S say they "have not received any claims." M&S is still struggling to restore full operations after a cyber attack left them unable to take contactless payments, handle click and collect orders, keep shelves stocked and take online orders. Last month the retailer admitted the attack could cost as much as £300m, with these latest legal troubles only adding to the company's difficulties. Speaking to ITV News, retail and PR expert Rhea Freema, said regardless of this claim's outcome, "any time a brand is involved in a lawsuit they're receiving publicity for the wrong reasons." Despite this, she believes the longterm damage to M&S' brand will be minimal. "I think the way that M&S dealt with the issue from a PR perspective - keeping customers informed, messages from the CEO, explaining the steps they were taking, and being fully transparent, means that the brand damage will be less. "The issue that's being raised with the lawsuit has been well documented - so there's no shock factor. "Many people feel sorry for M&S and their team as they have worked so hard and tried to balance issues with customer care and satisfaction, so whilst this definitely isn't good for the brand, I think it could have been a lot worse from a brand image point of view." Outside of any potential lawsuits, Rhea says how M&S continues to "nurture the customers they have," keeping them informed and "acknowledging the inconvenience," will go a long way to mitigating potential damage to the brand.
The National
21-05-2025
- Politics
- The National
Civil servants union PCS 'silenced' debate on trans rights
The Public and Commercial Services Union (PCS) took legal advice and banned motions which related to the landmark ruling which found that sex is defined by biology in the Equality Act. Delegates had submitted motions for debate at the union's annual conference in Brighton, but these were binned by PCS high command after lawyers from Thompsons Solicitors said they put the union at risk. A delegate said: 'It feels like the legal advice and the rule that allows the complete rejection of motions under legal advice has been used to completely silence us.' (Image: Lucy North/PA Wire) One motion, which the delegate said had become a 'lightning rod' for attendees seeking a debate on trans rights after other pro-trans motions were knocked back, put the PCS at risk of being sued, lawyers argued. The motion, A57, called on the union's national executive committee (NEC), its ruling body, to 'oppose exclusionary ideologies' such as gender-critical beliefs. Lawyers said these beliefs were protected in law and coming out against them opened the union up to claims of discrimination and harassment. Another motion called on the NEC to 'ensure that trans women are not excluded from women's spaces within the union'. READ MORE: Scottish Labour MP in 'secretive' meeting with private healthcare lobbyists Lawyers warned that doing so could lay the PCS open to claims of 'harassment' if trans women were using spaces reserved for biological women. The letter said: 'This is on the basis that it encourages [trans women] to access biological women's spaces, which is unwanted, related to the protected characteristic of sex and violates her dignity and creates an intimidating, hostile, degrading, humiliating or offensive environment.' A delegate told The National: 'There's no logic to the legal advice because we hear motions on Palestine, Ukraine, racism, basic employment law and a lot of it is rejection of the law or disagreement with the law but, seemingly in this particular instance, the legal advice is that we're not even allowed to say that or even think it, or even discuss it.' (Image: Gordon Terris) The final standing orders of the conference allowed two motions pertaining to trans rights to be debated. One responded to the Supreme Court ruling and criticised the PCS's delay in responding to the judgment. It called on the union to create a process for faster communications to members to respond to 'emergent situations' balanced with 'the need not to expose the PCS to any legal liability'. The second called on the union to reject the findings of the Sullivan Review, which urged the Government to require people to give their sex and gender on official forms like their health records. The PCS union declined to comment.
Fashion Network
20-05-2025
- Business
- Fashion Network
M&S hit by Scottish lawsuit over data breach
M&S is understood to be facing a multi-million-pound court action by Scottish customers whose personal data was believed to have been taken in the high street giant's recent cyber attack. Besides having to deal with major disruption to its supply chain, M&S has also had to admit hackers gained information on its customers. That has led to a class action suit over the loss of personal customer information -- which could result in huge compensation payouts, Glasgow Live reported. Law firm Thompsons Solicitors is to launch the class action suit on behalf of an unknown number of customers with senior parter Patrick McGuire telling the publication that it 'condemns the retailer for exposing clients to potential fraud due to inadequate protection of their data – an obligation mandated by law.' He said: 'M&S pride themselves on their customer service and reliability but in this most important area they have failed their customers completely. 'We have a situation here where one of the most famous retailers in the UK have allowed criminals to pillage the personal details of hundreds of thousands of Scottish customers. He added: 'We have been inundated by Scots M&S clients who have been caught up in this online heist and are contacting Thompsons given our experience in this area. I think this will be the biggest data theft case we have ever been involved in.' A spokesperson for M&S said: "Importantly, the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords. He added: 'There is no evidence that this data has been shared.' M&S's loyalty programme has 18 million members and the retailer has asked customers to reset their account passwords. It has also warned customers that they might receive bogus emails, calls or texts claiming to be from the company. More than £1.2 billion has been wiped off the market value of M&S since it was crippled by hackers three weeks ago. The company is still not taking online orders, has been left with empty shelves at some branches, and is reported to be losing up to £3.5 million a day.
