Computer hacking victims will be able to claim thousands of pounds in compensation under new laws – even if they do not lose any money.
The ‘distress’ they suffer will be enough to qualify for a payout regardless of whether their accounts have actually been raided.
And with the potential damages as high as £6,000 per person, companies with millions of customers could be left crippled by a cyber-attack.
There are also fears that the introduction next May of the new EU regulations will spark an industry of bogus hacking compensation claims like the holiday sickness scam exposed by The Mail on Sunday.
‘A company that suffers a hack could potentially be wiped out overnight from claims for compensation’, said Claire Mulligan, a partner at Kennedys law firm.
‘The new regulations will have a huge knock-on effect for businesses and they do not have much time to get their heads round it.
Businesses are going to have to change the way they operate and be able to prove they are doing everything to make sure their systems are secure.’
She added that the fear of massive damages claims may deter companies from reporting cyber-attacks to the data protection watchdog.
‘The new regulations raise the possibility that a company may not report a hack to the Information Commissioner if they think it will open them up to damage,’ she said.
Currently victims can make a claim for compensation if hackers raid their bank accounts, but the Data Protection Bill will enshrine their right for a payout for ‘psychiatric and psychological damage.’
The value of damages will depend on the sensitivity of the stolen data. For example, someone whose medical records were plundered could be entitled to the full £6,000.
The move comes following a series of high-profile cyber-attacks on organisations such as the NHS and mobile giant TalkTalk.
If each of TalkTalk’s 157,000 customers affected by the 2013 hack claimed £3,000 compensation the firm would have had to pay out £471 million. At the time it was fined £500,000 for the breach.
The new rules will also increase the fines a company can receive for being hacked.
Federation of Small Businesses chairman Mike Cherry said: ‘It is critical that the Government and the Information Commission provide the right support and guidance to help small businesses understand and prepare for the changes.’