Can I sue a bank for a data breach? Yes, you can. Data protection breach claims against Royal Bank of Scotland began after a serious breach was first detected by a whistleblower in 2009 and not actioned until 2019. Because of this, customers information was potentially exposed for a decade. Were you one of them?
Data breach is a serious problem. The inappropriate or illegal use of our personal information affects millions of people every year. New laws called General Data Protection Regulations (GDPR) were passed in 2018 to more closely monitor and restrict how companies and organizations use our personal data. Banks are very much included in this as they are at the forefront of potential online fraud, but lapses still occur.
This article explains how laws have changed to enable Royal Bank of Scotland customers to seek compensation if they can prove the breach damaged them. Damages based on financial and now emotional suffering can be combined by No Win No Fee data breach solicitors in much the same way as a personal injury or medical negligence case. This could help you if you have suffered financial or emotional harm from a data breach. Royal Bank of Scotland could owe you compensation for this.
Get in touch:
Speak to our team now for help. If you have a strong case, we can connect you with No Win No Fee data breach solicitors who can take up your claim at no initial cost to you and seek damages for this decade-long breach. You can:
- Call us direct on 0161 696 9685
- Email or write to us at Legal Helpline
- Access instant legal guidance and help by using the ‘live support’ option bottom right
The Royal Bank of Scotland officially changed its name to the Natwest Group in July 2020 and removed the name from its business, but as a customer of Royal Bank of Scotland, your data rights remain exactly the same.
Select A Section
- A Guide On Data Protection Breach Claims Against Royal Bank Of Scotland
- What Are Data Protection Breach Claims Against Royal Bank Of Scotland?
- Can Data Be Shared With A Third Party?
- Has Royal Bank Of Scotland Suffered A Data Breach?
- Data Protection Breach Compensation Calculator
- Types Of Damages Awarded To The Victim Of A Data Breach
- What Breaches Of Data Protection Could Be Reported To The ICO?
- Make A Data Protection Breach Claim Against Royal Bank Of Scotland With A No Win No Fee Solicitor
- What To Do If You Have Been The Victim Of A Data Breach
- How To Start Your Compensation Claim
- Speaking To A Solicitor
- Frequently Asked Questions About Data Protection Breach Claims Against Royal Bank of Scotland
- Where Could I Learn More?
GDPR rules are upheld by an independent body called the Information Commissioners Office (ICO). They seek to protect the data rights of the average citizen and consumer to safeguard against the proliferation of online fraud and exploitation.
This body has far-reaching powers. They can issue severe penalties and prosecutions to any organization, agency or individual who does not comply with some basic core principles concerning the handling of our personal data. Briefly, they are:
- Lawfulness – to use our data with a lawful and obviously clear intention
- Data minimization – to collect only the data required for that particular task
- Storage limitation – to keep the data for a limited amount of time and then dispose of it properly
- Accountability – to admit to breaches promptly and remedy them
- Purpose limitation – to collect the data only for the precisely stated reason
- Integrity and confidentiality – such as proper training and awareness at every level of data handling.
- Accuracy – how precise is the data?
- Report all breaches to the involved parties within 72 hours of discovery
With this in mind, companies are given an instant and user-friendly guide on how to handle data. Perfect adherence to these laws can be difficult in a large and diffuse company where information is passed around at lightning speed. Banks particularly need to cross-share information constantly to provide efficient and secure services to their customers.
But the breach that affected Royal Bank of Scotland/Nat West was acknowledged as an egregious oversight worthy of severe reprimand. This guide shows you how damages can be calculated precisely to take into account all the consequences of this shocking oversight. In addition, we explain how the ICO can help you and what a No Win No Fee data breach lawyer could do for you.
Financially sensitive and personal data including bank details were discovered to have been left in the home of an RBS/NatWest employee for over a decade. During this time in an unsecured location, there could have been multiple data breaches that may have affected 1,600 people. Worse still, RBS/NatWest tried to conceal the breach from customers while they decided how to safely return the data. This posed a direct risk to customers and a clear breach of GDPR law.
Firstly, it’s important to note what the definition of a breach is. The ICO define it as the accidental or deliberate loss, alteration, destruction or unauthorized sharing of data that results in economic, social or emotional damage to the data subject. Clearly, client documentation lying around in the home of a bank employee could be subject to all these breaches.
Damage can take the form of actual stolen money as the victim of online criminals who somehow obtained our details. Or damage to our credit if they used our identity for fraud, or loss of reputation if the breach deems us to now be an untrustworthy subject in the eyes of others. These are all serious consequences that can have long-lasting impacts on our mental health and finances.
Typical scenarios of data breach
There are some common risks of data breach in a bank office:
- Leaving laptops or information portals open to view
- Failure to ensure proper in-house software security or procedures
- Casual conversations amongst staff or the general public
- Transportation of hard copies that lead to loss or damage of data
- Social media posts that reveal personal info
- Lost smartphones, USB sticks or laptops
- Screens without automatic timeouts or multiple password technology
- Incorrect shredding or destruction of sensitive waste
- Hacking and cybercrime threats from outside
- Human error and inputting mistakes by staff
Any of these scenarios could result in bank information being shared inappropriately and without our consent. The reason GDPR rules are so stringent and thorough is that it recognizes the many simple and seemingly harmless ways our data can be shared improperly. GDPR is an attempt to gain control over something that has the potential to be chaotic.
One of the purposes of collecting personal data is to share it. Circulating information is not inherently bad and banks, in particular, can share our details to improve services and ideally create even tighter security for our money.
Cybercriminals and hackers are constantly testing the weak spots of firewalls and bank security software looking for a chance to commit crimes. Viruses, malware and ransomware rain down upon the banks in a fairly constant assault on our privacy. It is perhaps all the more shocking in that case when the breach is the result of staff incompetence or human error.
The three main groups involved in data sharing are:
- Controllers – those in possession of our data (in this case RBS)
- Processors – those in charge of using and sharing the data within agreed terms
- Third parties – those who receive the data for agreed purposes
Each part of this process has its inherent risk of a data breach. Controllers can fail to have properly secured defence software in place. Processors can be outside agency who can lose or accidentally leak the data they are circulating and third parties can abuse the remit of their right to use data. Phishing scams, marketing emails and unsolicited texts are all examples of third parties using our data in a way that goes past the original consent given.
Therefore compliance with GDPR laws is vitally important to all concerned. With ICO fines that can be as high as £17.5 million (or 4% of last years annual turnover) failure can incur a formidable penalty to those who ignore them.
As well as the UK breach, worse was to come for RBS in the United States. Also in 2008, Worldpay, a payment processing arm of RBS was hacked and the data of 1.5 million customers was compromised. Whilst only 100 people were directly affected before the problem was detected and resolved, it shows how startling easy it can be for cybercrime to reach right into the pockets of unwitting customers, regardless of any defence the bank may have in place.
With regards to the breach in the UK, the situation remains unresolved. The employee in question claims to want to return the documents in her home but RBS/NatWest will not accept them without her signing a statement to the effect that absolves the bank of any responsibility. As this would place the full weight of RBS data breach liability on her, she is understandably reluctant to sign it. The data is being kept in a cardboard box under her stairs.
As someone affected by the repercussions of this RBS data breach, you could proceed with a claim against the bank. Whatever the outcome of how RBS/NatWest chose to accept the breached documents back, they are ultimately responsible for the behaviour and actions of their employees. Referred to as vicarious liability, this can still form the legal basis of data protection breach claims against Royal Bank of Scotland. On this basis, compensation can still be calculated to help you.
A case called Vidal-Hall v Google fundamentally altered the way that you can claim compensation in data breach cases. Formerly, there needed to be proof of financial harm to warrant any emotional damage. But after this case, it was recognised that either or both impacts could be acknowledged. This enables data breach solicitors to use the Judicial College Guidelines to estimate potential compensation amounts for:
- mental anguish
- damage to personal relationships
- loss of amenity or pleasure in life
- increased risk of mental health damage.
Fraud perpetrated in your name can be incredibly distressing. Identity theft is a fundamental violation and the consequences can be anything from loss of sleep to depression, PTSD or even suicidal thoughts. For these impacts to be the consequences of lazy procedure or indifference to data safety rules is unacceptable. However the RBS data breach impacted your health, our table below demonstrates what you could be eligible for:
|Psychiatric Damage - Severe||Severe problems that affect many areas of daily and social life.||£54,830 to £115,730|
|Psychiatric Damage - Moderately Severe||Significant problems with daily life. But, there is a more optimistic prognosis.||£19,070 to £54,830|
|Psychiatric Damage - Moderate||Marked improvement shave been made, despite having struggles with various problems.||£5,860 to £19,070|
|Psychiatric Damage - Less Severe||The effect on daily activities and sleep will be taken into account.||£1,540 to £5,860|
|PTSD - Severe||Inability to function the same as pre-trauma due to permanent effects.||£59,860 to £100,670|
|PTSD - Moderately Severe||Recovery is possible with help from a professional, but the person will still likely suffer for the foreseeable future.||£23,150 to £59,860|
|PTSD - Moderate||Largely recovered with any persisting symptoms not being majorly disabling.||£8,180 to £23,150|
|PTSD - Less Severe||A full recovery is made within 2 years, with only minor problems persisting after this.||£3,950 to £8,180|
Data Protection Breach Claims Against Royal Bank of Scotland
Obviously, medical proof is required to validate these claims. Your data breach lawyer can arrange for you to have a psychiatric evaluation and the results of this can support your data protection breach claims against the Royal Bank of Scotland.
Psychiatric impacts are known as ‘non-material’ damages and you can also claim for material damages. These focus on the tangible financial impacts on you as a result of the RBS data breach. Therefore, matters such as:
- Money stolen from your account
- Charges and fees incurred from fraud
- Psychotherapy counselling costs to deal with stress
- Lost work from increased anxiety or suffering
- In severe cases, the need to relocate or leave work because of criminal attention
Banks certainly keep enough information for hackers and cybercriminals to use. Once your data is in the public realm is almost impossible to control who sees it. Or what they do with it. The fallout of clumsiness on the bank’s part could cause severe disruption to you. A No Win No Fee data breach lawyer can help you compile all the medical and financial evidence to demonstrate how the breach caused havoc in your life. This could then be claimed back as damages from RBS/NatWest.
Contact our team now and discuss how the RBS data breach impacted you. If we can help, you could be eligible for serious refunds and compensation.
The ICO explains in plain English how companies can protect data properly. It looks for the appropriate implementation of its rules and a display of compliance from those who possess and use our data.
Affected customers must be notified about breaches within 72 hours. The ICO will investigate major breaches and you can ask them to look at a leaked data problem on your behalf. You are also free not to involve them. But if the ICO does look at your case, it can lend great value to your claim for compensation.
It’s important to note that the ICO does not pay compensation. In order to successfully obtain damages from RBS/NatWest for their error, you need to privately sue them. You could do this alone, but data breach cases can be complex and time-consuming. Using a No Win No Fee data breach solicitor with the expertise to identify all potential damages to you is a much more sound decision.
As the victim of a data breach by RBS, you could be eligible for surprising amounts of compensation. GDPR rules apply to everyone and failure on the part of an organization to uphold them makes them liable for your damages. If you have proof, why not consider making a claim using a No Win No Fee data breach lawyer?
Simply contact us on the number below or email and our friendly team can assess the likelihood of your case in a brief and totally free initial consultation. It’s important that you can demonstrate actual proof of how the data breach by RBS/NatWest impacted you. It’s both unethical and time-wasting to seek claims against the bank on the off-chance of claiming compensation. Proof is the most solid foundation.
If we can connect you with a No Win No Fee lawyer they can take up your case at no cost, with no fees as the case progresses. Should the claim fail, there are no fees to pay at all. Your data breach lawyer has a vested interest in winning cases as their fee derives from a small, capped percentage taken at the conclusion of cases that win. Therefore, you can rest assured they won’t waste your time either.
At Legal Helpline we can help you start a claim for data breach compensation. It’s no longer essential to use the law firm that is most local to you. All relevant communication can happen remotely, and this is exactly what we offer. You could benefit from the expertise of data breach solicitors who help clients across the country and have over three decades of knowledge handling cases like this.
Call today to discuss what happened to you. We can help with the Royal Bank of Scotland 2018 data breach. Or, speak to us about any other kind of failure on the part of a financial institution to protect your personal information.
To start your claim the ICO recommend that you follow this procedure:
- Firstly, write to RBS/NatWest and complain that you have been the victim of data breach. The ICO provide a useful letter template for this on their website
- Await a response. Importantly, if there has been no helpful or satisfactory response within a three month period, you can ask the ICO to step in using this link.
- Perhaps RBS/NatWest may offer to settle compensation with you directly for their breach? You are perfectly free to accept or decline this offer
- As you await the outcome of the ICO investigation, start to gather evidence of your damages. There is a 6-year time limit to starting a data breach compensation claim (1 year if it involved a violation of your human rights) but collecting information can take longer than you might think. Don’t delay.
- Connect with Legal Helpline. We can introduce you to a No Win No Fee data breach solicitor to take up your case and calculate precisely the right amount of compensation.
This last point is key. Realistically, you can only make one claim for a data breach against the Royal Bank of Scotland. With bank fraud, there can be many costs that continue to flood in long after the initial deception has been exposed. Bank charges, late fees, unauthorized overdraft charges and the like could all mount up. It’s crucial to evaluate your compensation fully. You can still be liable for any amounts you remember after the claim.
However, we cannot invent a compensation figure out of thin air. It has to be factual and realistic. Your No Win No Fee lawyer will have the expertise to spot all present and future financial consequences and get them all included first time.
In conclusion, we hope this article has helped in your search for answers about Royal Bank of Scotland compensation claims. Thank you for taking the time to read it. If you’re ready to start a claim please:
- Call us and speak to our friendly team on 0161 696 9685
- Email or write to us at Legal Helpline
- Use the ‘live support’ option bottom right of this screen to get in touch.
We look forward to helping you.
Is Royal Bank of Scotland safe?
Royal Bank of Scotland has done much to prove compliance with GDPR laws. The ICO can still monitor organizations after a breach, so RBS/NatWest should be one of the more safer now.
What happens when a bank breaches data protection?
Without doubt, the breach should be notified as a matter of utmost urgency. 72 hours is the legal time limit according to the GDPR and ICO. You may discover the breach from strange activity in your account, a news outlet or social media before the bank notices, so you can report it yourself.
Can I get compensation for data protection breach?
Absolutely. Evidence is essential. With this in mind, it’s important to keep all receipts, bills and statements that prove your losses. Also, the results of a psychiatric evaluation can substantiate your claim for mental health harm.
How do I complain about data protection breach claims against Royal Bank of Scotland?
Write to the bank independently or use the template provided by the ICO to complain to the bank or petition the ICO themselves.
What can I do if my data has been breached?
Bank data breaches can be the worst kind. In view of this, it’s essential to take steps such as cancel credit and debit cards, change passwords if appropriate and report the risk to the bank immediately.
In addition to the resources offered here, you can read more about data breach compensation and Legal Helpline. We can also help with other types of compensation claims such as personal injury or medical negligence. Furthermore, you can read about victim support for data breach incidents and why the ICO thinks your data matters. We can also offer advice from the government about improved personal data security techniques in the future.