There is nothing more personal and sensitive than the entire contents of your mobile phone. We all have a responsibility to keep our phones safe and password protected but what if data was lost and the culprit turned out to be the mobile phone company itself?
On the 16th July 2019, Mrs L received her newly purchased mobile telephone. Mrs L’s partner then downloaded the new mobile provider’s app to transfer Mrs L’s data from her old mobile to her newly purchased one. The data transfer completed and Mrs L thought nothing further of it until she received a phone call from a family member who informed her that they had received a telephone call from a stranger. This third party had informed Mrs L’s family member that Mrs L’s personal data had been sent to their mobile phone too; not just between Mrs L’s old and new mobile!
Obviously, this caused Mrs L shock and concern. Mrs L contacted the third party herself and it was quickly established that she and the third party had both purchased new mobile telephones from the same mobile provider. Essentially, both Mrs L and the third party had been transferring data from their old phones to their newly purchased phones at approximately the same time and instead of just going to these, all their mobile data in fact went to each other as well.
Following the discovery of this breach, Mrs L lodged a complaint to the ICO who directed Mrs L to lodge her concerns with the mobile phone provider. Mrs L did so and the mobile phone provider later informed Mrs L (and the third party) that a technical error or failure had occurred. An apology followed but Mrs L did not think this was a sufficient response to such a serious mistake.
Due to the nature of the data breach and the sensitivity of the data transferred (which included hundreds of images/videos, contacts, pin numbers and other financial information), Mrs L instructed data breach/GDPR specialists Irvings Law to assist her. Without hesitation, Mr McConville, who is the Head of this expert department agreed that Mrs L’s privacy and personal data had been unlawfully infringed and so offered ‘no win, no fee’ terms to Mrs L to enable a claim to be pursued.
Mr McConville soon realised that data pertaining to Mrs L’s son and foster daughter was also included in the data that had been transferred to the third party. This information included imagery, medical information and the foster daughter’s previous identity which a Court had ordered not be disclosed to anyone due to safety concerns. Further, it transpired that the unintended recipient of this data had served a lengthy custodial sentence for a violent crime.
Mr McConville notified the mobile provider that Mrs L, her son and foster daughter were now legally represented. In response, the in-house legal representatives of the mobile provider had several telephone conversations with Mr McConville to try and settle this matter without issuing Court proceedings. Although they accepted their error they seemed to struggle to accept the severity and potential consequences of the breach and hoped the client would accept ‘a gesture of goodwill’. During these discussions Mr McConville made the legal position clear. He alleged to the mobile provider that they had breached/invaded Mrs L’s, her son’s and her foster daughter’s privacy and had also breached provisions of the Data Protection Act 2018 (which replaced the 1998 Act), the General Data Protection Regulation (GDPR) and the Human Rights Act 1998. Further he alleged that the mobile phone provider had breached confidence as well as misusing private information.
Following this, the mobile phone provider decided to instruct their own solicitors who are based in London. In response to a formal Letter of Claim the mobile phone provider did not provide a response in relation to liability but instead made significant offers of settlement. Following lengthy negotiations, all matters were settled. However, the mobile phone provider would only agree to payment of the significant settlements if Mrs L, her son and her foster daughter agreed to a Confidentiality Agreement.
The reason for this was obvious to Mr McConville; the mobile phone company did not wish this matter to become public knowledge as it would greatly affect their reputation and potentially their profits. On this occasion, Mrs L, her son and her foster daughter agreed to the settlement to finally resolve the matter as they now intend to move on with their lives.
Breaches this severe do seem to be rare, but perhaps we don’t get to hear about them? We hope that this particular provider has now improved their systems to prevent other customers going through the same experience.