In our view…
Editorial analysis and opinion from Join the Claim.
Every time a major data breach hits the headlines, attention turns to the company behind it — how much it will cost, how long recovery will take, and what went wrong. But behind those headlines are the people whose information has been exposed: customers, employees and suppliers who never agreed to absorb that risk.
For years, the conversation around cyber incidents has focused on cost and disruption — spreadsheets, downtime, and technical fixes — rather than the human consequences. We need to think differently about the real and lasting impact of these breaches, and the erosion of trust in the digital systems we rely on every day.
Because when companies fail to protect personal data, the consequences don’t stop at the boardroom door.
The illusion of cyber protection
When a breach hits, companies can face enormous costs. Not just in financial terms, but in reputational damage, forced shutdowns, litigation exposure, and the long game of restoring confidence. The fallout from a major incident can last for years.
That said, well-run organisations should expect this risk, with cyber insurance in place to limit the damage when things go wrong.
But, all too often, insurance becomes a comfort blanket. If the fallout can be insured, where’s the incentive to invest in genuine prevention and accountability? Does such complacency go some way to explaining the rising scale and frequency of breaches across sectors that should know better?
“Businesses are right to take cyber insurance seriously, but it shouldn’t be where the story ends, Insurance can help a company recover its losses, but it can’t undo the potential damage done to individuals when their personal data is exposed. The focus has to be on prevention and accountability, not just financial recovery.”
In practice, many large organisations treat cybersecurity as a back-office line item rather than a board-level concern. And when the worst happens, insurance policies are expected to pick up the bill. Worse, some firms don’t even have that. They underinsure or skip cover altogether, betting “it won’t happen to us.” As the recent Jaguar Land Rover incident shows, that gamble can be a costly one.
Complacency meets reality
The Jaguar Land Rover hack laid bare the danger of under-preparation. Reports suggest the car giant had not finalised its cyber insurance before the attack struck. If true — and multiple sources indicate it may be — the company will be left to shoulder the full cost of the disruption, reportedly running into millions each week.
To add insult to injury, Jaguar Land Rover posted pre-tax profits of around £2.5 billion in its most recent year, indicating that it had the resources to make better risk decisions. Meanwhile, its smaller suppliers, lacking the same margins, have been hit hardest.
That’s the ripple effect of weak cyber resilience: the shock travels fastest through those least able to withstand it.
For Jaguar Land Rover’s direct employees, the disruption is serious but manageable, with staff still being paid at the time of writing. For suppliers and their workers, the threat is agonising. Some face closure after weeks without income, while others have been forced into layoffs. The attack exposed how fragile digital dependency can be when one link in the chain fails.
Then there are cases where the damage is far more dangerous. Consider the Afghan data breach, where thousands of names, contact details, and, in some cases, family information of Afghan nationals who assisted British forces were mistakenly disclosed. Those individuals were forced into hiding, living under threat from the Taliban. An avoidable administrative error put lives at risk.
Even so-called “small” breaches can have lasting repercussions. A leak of names, emails or health data might seem minor, but once that information is sold or shared on the dark web, it can be used in identity theft, fraud or targeted scams. While some data breach victims walk away with no harm done, their personal information can circulate, and its misuse can haunt other victims long after the headlines fade. Businesses might be able to afford cyber insurance, but the public doesn’t have the same level of protection.
Lessons from the latest warning
If there was ever a sign that the UK is losing patience with corporate complacency, it came this month. The National Cyber Security Centre (NCSC) issued an unprecedented warning to business leaders: assume your systems will go down — and be ready to keep operating without them. The advice, reported by the BBC, urges executives to keep paper copies of their response plans and prepare for analogue communication if networks are paralysed.
It might sound old-fashioned, but it reflects a blunt reality: cyberattacks are now so frequent and so severe that prevention alone is no longer enough. So, if organisations don’t anticipate attacks, and robustly safeguard the data of those who trust them, they deserve to be held accountable.
“It’s not a matter of if, it’s when. The best organisations accept that reality and plan for it. True resilience isn’t just about keeping companies running — it’s about protecting the people whose data makes those businesses possible.”
The good news is that a recent development in data protection litigation tilted the balance toward greater accountability.
In Farley v Paymaster (Equiniti), the UK Court of Appeal held that claimants do not need to show that their data was accessed by a third party. The act of misaddressing and delivering documents can itself constitute a processing breach. Crucially, the court also rejected a “threshold of seriousness” for non-material damage claims under UK GDPR. Meaning that even relatively modest claims for distress or fear of misuse can survive legal scrutiny.
In plain terms: you do not need to show catastrophic harm to make a claim. If your fear or distress is objectively reasonable, you could be owed compensation.
Changing perceptions
For too long, data breach claims have been dismissed by some as opportunistic “ambulance chasing.” That view completely misses the point.
These cases aren’t about chasing compensation for its own sake. They’re about holding organisations to account when negligence causes real harm. Losing control of your personal data isn’t always a minor inconvenience. For some it can mean months of anxiety, financial loss, or, in the worst cases, even danger to life.
When the law steps in to help those who have suffered harm, it’s not exploiting a tragedy, it’s correcting an imbalance. Group actions and individual claims are one of the few ways ordinary people can challenge powerful companies that mishandle their data and then move on without consequence.
“The stereotype of ambulance chasing has no place in this conversation. Data breaches aren’t victimless mistakes — they can destroy credit ratings, compromise privacy and cause lasting emotional distress. Seeking redress for genuine fear, anxiety and financial loss, isn’t opportunism, it’s accountability.”
Businesses love to talk about innovation and digital transformation. But data protection is where those promises are tested. Treating personal data as an afterthought isn’t just careless, it’s indefensible.
Until companies see data security as a moral contract with the people they serve, breaches will keep happening. And every time they do, ordinary people pay the price.
Of course, consumers aren’t powerless. UK data protection law gives individuals the right to be informed after a breach, the right to access their data, and — where harm is demonstrated — the right to seek compensation. But these rights are reactive. Real change must come from leadership. Cyber insurance, while essential, is not enough. Preventive investment, resilience planning and transparent accountability need to be built into every company’s DNA.
In the end, the question isn’t just who pays for a data breach, it’s who learns from it. And right now, too many of those with the power to change still aren’t listening.
