“There is not an expectation that this should never happen, because I think there's an acceptance that in the modern world it's inevitable. But it's just making sure you've taken the logical steps to protect yourself and to try as hard as you can basically to make sure it doesn't happen.
“If an accidental data breach happens and you don't respond to that well, I think there's a big reputational risk there,” says Snowball.
Firms have an obligation to report data breaches to the ICO and typically the FCA as well, if certain tests are met and the risk posed by the breach warrants it.
This can attract a flurry of third party claims, the severity of which depends on the type of data and the extent of the breach.
In order to bring a claim the claimant must be able to prove they have suffered damage, but this does not necessarily mean financial loss, it can also mean things like distress.
Though Snowball believes the value ascribed to cases in the courts is currently “very low”.
“There's been a few comments from judges along the lines, essentially, that in the modern world people have to accept that this is a fact of life.
“And the courts are reluctant to accept in many of the kind of day to day cases, that someone suffered a sufficiently high degree of distress about all of this to be entitled to compensation.”
Breavington says when it comes to losses suffered financial advice firms may have greater vulnerability than other sectors.
This is because of the nature of the data they are holding on clients.
“In order to be able to provide financial advice, they are likely to be holding relatively sensitive data, including a variety of financial information and identity information,” he says.
“Such information could be misused by a malicious actor to carry out identity fraud or financial fraud, and any identity documents in scope might need to be replaced at a cost to the individual.
“Therefore, the nature of the information likely held by financial advice firms means any data breach could result in a greater amount of loss being suffered by affected individuals than organisations in other sectors.”
The lawyers add firms should remember that they are not just required to check their own systems and controls but those of their outsourced partners too.
Snowball says: “The sort of challenge that we see more often than not is,…how do you make sure with third party service providers within your supply chain that they are up to scratch as well.
