Recently the UK’s new Information Commissioner, Elizabeth Denham who took over in July 2016, published the £400,000 Monetary Penalty Notice issued to TalkTalk on 30 September 2016. This Notice detailed her reasons for imposing the highest ever UK fine for a serious breach of the Data Protection Act 1998. Denham was pretty scathing – “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Paul Motion, partner and head of the Data Protection Defence Team at leading independent Scottish law firm BTO Solicitors, commented: “The fine of course relates to TalkTalk’s much publicised data hack on 21 October 2015. TalkTalk has said it found the fine disappointing as it had co-operated fully with the ICO investigation. But the telecoms giant shouldn’t really have been surprised. TalkTalk bought Tiscali in 2009. It appears TalkTalk did not know Tiscali’s infrastructure included old web pages that were still available on line, which gave access to a database containing the names of 156,959 customers and bank details for 15,656 people. TalkTalk also did not know the database software was out of date and had not been patched regularly to address vulnerabilities. The same SQL attack that was carried out successfully on 21st October 2015 had also taken place on the same webpages in July and September 2015. The £400k fine was mainly for a serious breach of the seventh Data Protection Principle – failing to have appropriate technical and organisational measures in place to secure data – but also for a breach of the fifth Principle, which outlaws keeping personal data for longer than necessary.
“The ICO said the Talk Talk data breach was likely to cause “substantial distress” to those whose names, addresses and bank details were stolen. The ICO indicated that these details could be used for fraudulent purposes and that even the possibility of fraud happening would be distressing. Further if the data was misused or disclosed to an untrustworthy third party this would cause further distress exposing the individuals to blagging and possible fraud. The emphasis of ‘distress’ in relation to this particular breach is interesting given bank details were stolen and one might have expected discussion of the consequences. Be that as it may, distress matters because a recent court case (Vidal Hall –v- Google) held that only distress rather than financial damage was needed to open up a claim against a data controller for compensation under the Data Protection Act (DPA) and for the time being this ruling stands.”
Up until now, the highest fine the ICO had imposed was on an NHS Trust. Brighton & Sussex University Hospitals NHS Trust was fined £325,000 after hard drives from its computers which contained the highly sensitive personal data of tens of thousands of patients and staff were found for sale on the internet.
Paul continued: “One thing that is particularly striking about the TalkTalk fine is that a fine of this size has been imposed on a private sector organisation. The outgoing Information Commissioner appeared to believe that private sector organisations were somehow better at data protection than the public sector. He is on record in the “Independent” of 23rd February 2014 describing local government organisations as “hopeless” in their handling of personal data, a view he then repeated at the ICO’s conference in Manchester two weeks later. If the TalkTalk fine indicates that the new ICO is rowing back from that position, it is a welcome development which may reassure those data protection commentators who were becoming concerned that undue regulatory attention seemed to be directed towards only public sector data protection breaches (though ironically it might be noted that the private sector has been hammered by the same regulator, in relation to cold calling, which is not covered by the DPA but by the PECR regulations).
“Once the new EU General Data Protection Regulation (GDPR) comes into direct effect in May 2018 (which it will, Brexit or not, in this author’s view), organisations will be obliged to report serious breaches and it may be that we then see a true reflection of just how secure organisations are across both sectors. However, be warned, the new Data Protection Regulation will also introduce higher maximum fines of up €20,000,000 or 4% of global turnover. If the GDPR had been in force today, TalkTalk could have faced a fine of £35million. Those who feel fines of that size are unlikely might draw an analogy with Aviva UK Life, which was fined £8.2 million this week by the Financial Conduct Authority. Aviva’s fine was because it had failed to ensure that it had adequate controls and oversight arrangements to effectively control the outsourced administration of client money.
“Fines of this size, and more importantly avoiding them, may encourage Board Members to put data management much higher up on the boardroom agenda. The reference to data management is deliberate. Whilst security is an important factor, an holistic approach is needed. Whilst good data security is important, the ICO also expects to see good management and has repeatedly emphasised that staff training will be taken into account in judging the adequacy of organisational measures required by the DPA 1998.”
(Source: BTO Solicitors LLP)