Beyond First Party Costs: Third Party Exposures Resulting From Personal Data Breaches
I. Introduction
Following a potential breach of personal data, whether or not through a malicious attack, organisations operating in the United Kingdom (“UK”) can expect regulatory scrutiny and claims for compensation, on top of their own significant costs and losses incurred as a direct result of the incident.
In this article, we explore the shifting regulatory and litigation landscape in the UK in relation to personal data breaches, including:
· Evolution in the UK’s Information Commissioner’s Office’s (the “ICO”) approach to personal data breaches;
· The UK Government’s legislative ransomware proposals;
· Growing mass actions; and,
· Implications for organisations and their insurers.
II. Regulatory Changes
a. High Profile Fines for Serious Breaches of UK Data Protection Legislation
In recent years, the ICO has continued to enforce significant fines and penalties for serious breaches of personal data, including:
· DPP Law
On 16 April 2025, the ICO issued a fine against UK law firm DPP Law Ltd (“DPP”) of £60,000 following a malicious attack in June 2022 that resulted in over 32GB of highly sensitive and confidential personal information being published on the dark web. [1]
In its decision, the ICO highlighted the lack of adequate security controls and the fact that DPP did not report the incident to the ICO until 43 days after discovery.
· Advanced Computer Software
On 27 March 2025, the ICO issued a penalty notice against Advanced Computer Software Group (“Advanced”) in the amount of £3.07 million following a ransomware attack in August 2022 that compromised the personal data of 79,404 data subjects and resulted in the disruption to critical NHS and social care services. [2]
The fine against Advanced is significant, not only due to its size (within the highest penalties issued by the ICO for a breach of personal data) but also as it is the first fine the ICO has issued to a data processor. While processors generally are considered to have limited obligations under the UK's General Data Protection Regulation (compared to data controllers), it seems a fine was deemed appropriate here because the incident caused such significant impact to critical services provided by the NHS.
· 23andMe
On 24 March 2025, the ICO issued a notice of intent to fine Californian DNA genetic testing company, 23andMe, £4.59 million for a data breach arising from a malicious attack impacting personal information of 6.9 million customers, occurring in October 2023. [3] The stolen data included family trees, birth years and geographic locations.
The ICO’s findings are provisional at this time, but the amount of the proposed fine is high, as the extremely sensitive nature of the data appears to have been taken into account.
· TikTok
In 2023, the ICO issued a fine for a breach of UK GDPR, against TikTok for misusing children’s data, in the amount of £12,700,000 [4] (the third highest fine to be issued by the ICO for breach of a UK data protection legislation).
b. Increased Reprimands
Alongside these high-profile fines, in June 2022, the ICO announced a revised approach to enforcement of data protection against public sector authorities, stating that its goal was to reduce the impact of financial penalties on public bodies while improving compliance through proactive engagement and exercising alternative enforcement powers, such as reprimands and/or enforcement notices. A number of commentators have suggested that a lack of resources might be another factor behind the ICO’s preference for reprimands over fines, in particular, because reprimands cannot be appealed (unlike fines and penalties).
As a result of this new approach, organisations operating in the UK are subject to fewer fines for breaches of data protection legislation, even where the data controller is a private company, and public reprimands in the UK correspondingly have increased. Between 2018 and 2021, the ICO issued fewer than 45 reprimands. In a similar time frame since June 2022, the ICO has issued 82 reprimands to both public and private companies.
In certain circumstances, it appears that reprimands may be replacing fines. For instance, in October 2024, the ICO reprimanded law firm Levales Solicitors LLP after hackers were able to access client details because of insufficient security measures. The ICO highlighted an absence of Multi-Factor Authentication “MFA”, weak password management and Levales’ inability to determine how the Threat Actor obtained the credentials that allowed them to gain access to its network. By contrast, in 2022 the ICO issued a £98,000 fine against law firm Tuckers Solicitors LLP for a data breach arising from a ransomware attack, highlighting security failures strikingly similar to the Levales case, including a lack of adequate security controls, such as MFA.
While the insurability of ICO fines and penalties is yet to be confirmed by a UK court (and, given the ICO’s preference for reprimands, may yet be some way off), organisations rely on their cyber insurers to provide cover for the significant defence costs incurred negotiating with the ICO. Further, whether the ICO ultimately issues a fine or a reprimand, the ICO will first conduct an in-depth investigation, involving detailed requests for additional information (and often several rounds of queries), frequently extending to many months.
Even if an organisation ultimately avoids a fine, a public reprimand impacts reputation and risks attracting the attention of claimant law firms (who, as below, are increasingly exploiting new mechanisms to bring mass actions). It is therefore advisable to engage expert legal representation at the outset of an investigation to assist with the response to the ICO. In this way, organisations continue to incur significant internal time and external costs in responding to a regulatory investigation, and, if insurance coverage is available, are likely to look to their insurer to fund the defence of the investigation, including legal advice as well as costs to review the impacted data in response to specific questions from the investigator.
c. UK Government’s Legislative Ransomware Proposals
In an effort to disincentivise cybercrime in the UK and the increased frequency of ransomware attacks, which often lead to breaches of personal data, the UK Home Office launched a consultation on 13 January 2025 regarding legislative proposals for ransomware, including a ban on ransom payments for critical national infrastructure (“CNI”) and the public sector, a ransomware prevention regime, and a ransomware reporting regime. The consultation closed on 8 April2025 and the government currently is reviewing feedback to determine which, if any, of their proposals should be implemented.
The consultation signals a further shift in regulatory expectations and could impose significant new obligations on organisations facing cyber extortion. If any of the proposals are implemented, organisations may need to review their incident response plans and insurance coverage, since a failure to adapt may result in heightened legal, financial and reputational risks.
III. Litigation Changes
a. Mass Actions for Personal Data Breaches
England and Wales does not currently have an overarching mass actions regime, and therefore most claims for damages arising from a data breach are brought on an individual basis only.
In particular, following the Supreme Court’s 2021 decision in Lloyd v Google LLC [5], the circumstances in which one claimant may bring a representative action for unlawful processing of personal data were significantly narrowed. The Supreme Court held "it would be necessary to show both … unlawful use of personal data relating to that individual and that the individual suffered some damage [i.e. financial loss or mental distress] as a result" and, individual analyses need to be undertaken in respect of each claimant in the context of an unlawful processing claim as to the level of distress or damage suffered.
However, claimant law firms are relying on alternative procedures for mass actions in England and Wales. Since the 2023 High Court decision in Abbott v Ministry of Defence [6], and the 2024 Court of Appeal decision in Morris & Ors v Williams & Co Solicitors (A Firm) [7], multiple claimants are permitted to bring their claims on a single “omnibus” claim form (under Civil Procedure Rule 7.3), so long as the claims can be conveniently disposed of in the same proceedings. Claimant law firms are now attempting to bring mass data breach claims using such omnibus claim forms. A recent example is the ongoing litigation in Sutton & Ors v Currys Retail Group Ltd[8] before the High Court, brought in 2024 by 711 claimants all listed on the same claim form and all seeking distress damages for breaches of the Data Protection Act 1998 arising from a cyber-attack against Currys in2017-18.
Further, mass claims increasingly are being brought against large tech companies in the UK Competition Appeal Tribunal (“CAT”), which provides for collective actions to be brought on an opt-out basis, and damages to be awarded on an aggregate basis without undertaking an individualised assessment. In particular, in the 2024 case of Dr Liza Lovdahl Gormsen v Meta Platforms, Inc. and Others [9], opt-out collective proceedings have been brought against Meta alleging Meta abused its market dominance by forcing users to hand over their data as a condition of accessing the Facebook platform, seeking a minimum of £2.07-£3.1 billion in compensation.
At the same time, the Directive (EU) 2020/1828 on Representative Actions for the Protection of the Collective Interests of Consumers (“RAD”), requires all EU member states to have in place at least one procedural mechanism for consumers to seek collective redress for alleged harm caused by a business through breaches of EU consumer laws (including GDPR), inspiring some enterprising claimant firms (including several well-known US class action firms) to form alliances to promote group litigation in the EU and UK.
The increasing focus on mass actions procedures are likely to increase the number of mass actions in the UK, giving rise to increased defence costs and payments for damages and settlements, and correspondingly increasing third party exposure for organisations and their insurers.
IV. Conclusion and Key Takeaways
While digital assets continue to increase in volume, sensitivity and value, cyberthreats also continue to evolve in complexity and frequency. This is strikingly evidenced by recent high-profile attacks against major UK retailers Marks &Spencer, Co-op and Harrods. As such, organisations operating in the UK must continue to take all necessary steps to prepare for the significant direct costs and losses associated with such an attack as well as the risks of regulatory action and litigation.
Given the shifting regulatory and litigation landscape outlined in this article, organisations operating in the UK must not be complacent about third party exposures arising from personal data breaches, but should prepare for potential claims from customers, regulators, suppliers, vendors and other third parties who may incur their own consequential losses as a result of such an incident. Such claims expose companies to considerable costs to defend against extensive regulatory investigations and pay any fines or penalties, as well as legal costs to defend against individual and mass actions and pay damages awarded by a court. Additionally, service providers may also have substantial contractual obligations to customers to indemnify their own costs to respond to an incident and/or address their own third party exposures, further increasing the financial burden. Companies also risk potentially devastating reputational harm should any regulatory reprimand, fine, penalty or adverse judgment become public. Furthermore, the added pressure of litigation and/or regulatory investigations on top of responding to an incident can place significant strain on already stretched corporate resources.
In addition, the Home Office ransomware proposals signal that additional regulatory obligations arising from a ransomware event may be imposed in the near future, leading to further uncertainty, increased compliance costs and operational scrutiny.
As such, organisations must prepare for malicious and non-malicious personal data breaches by regularly assessing their own IT security, ensuring they have a suitable plan in place to respond to an incident, and evaluating their obligations to customers and regulators. Most importantly, organisations should find out where to find suitable help in the event of an incident, including identifying incident response providers and legal representation in advance, as well as suitable insurance to manage all potential costs, including litigation and/or regulatory investigations.
Authors: Amelia Jones, Associate and Charlotte Worlock, Partner
A version of this article also appeared in Law360 on May 23, 2025.
References
[1] DPP Law Ltd |ICO
[2] Advanced Computer Software Group Limited | ICO
[3] Statement on 23andMe investigation | ICO
[4] TikTok Information Technologies UK Limited and TikTok Inc (TikTok) | ICO
[5] Lloyd v Google LLC [2021] UKSC 50 (10November 2021)
[6] Abbott v Ministry of Defence [2023] EWHC1475 (KB)
[7] Morris & Ors v Williams & Co Solicitors(A Firm) [2024] EWCA Civ 376
[8] Sutton & Ors v Currys Retail Group Ltd[2024] EWHC 157 (KB)
[9]Dr Liza Lovdahl Gormsen v Meta Platforms, Inc. and Others [2024] CAT 11