Record Data Protection Fine for TalkTalk
Elizabeth Denham became the new UK Information Commissioner on Monday 18 July 2016. Less than three months into the role she has issued TalkTalk with a monetary penalty of £400,000 - the largest ever fine of its type - after finding TalkTalk had seriously contravened its obligations under the Data Protection Act 1998 ("DPA").
In 2009 TalkTalk acquired the UK operations of Tiscali. The acquisition included Tiscali's webpages and access to a database known as "Tiscali Master". The database contained a large amount of personal data. The webpages suffered from a common security vulnerability which is well understood in the industry and known defences exist. TalkTalk did not take any steps to remove webpages or otherwise make them secure by applying a common fix.
In October 2015 a cyber-attack exploited vulnerabilities in a number of the webpages. This provided the attacker with access to the database and, consequently, the personal data of 156,959 customers (including, in some cases, financial information).
The Information Commissioner held that TalkTalk had failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data. Furthermore, TalkTalk should have known that an attack on the webpages would be likely to cause substantial damage and substantial distress to the data subjects. In such circumstances, the Information Commissioner held that a monetary penalty would be fair and just.
Despite the fact that the fine issued by the Information Commissioner is for a record amount, she did highlight a number of mitigating factors (which will have served to lower the amount of the fine):
- TalkTalk did not deliberately contravene the DPA. The database was subjected to a criminal attack. TalkTalk's failure to take appropriate steps to remove the webpages or otherwise secure them was a serious oversight rather than a deliberate intent to ignore or bypass the provisions of the DPA.
- TalkTalk reported the incident to the Information Commissioner, co-operated with the investigation and notified its customers of the attack. TalkTalk has also taken substantial remedial action since the attack.
- The incident has been widely publicised in the media and a monetary penalty may further impact on TalkTalk's reputation.
The Information Commissioner commented that "this is an opportunity to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal data" thus firing a warning shot at any data controllers who currently apply a laissez-faire attitude to data protection.
The Government has recently announced plans to crack down on nuisance calls by providing the Information Commissioner's Office with powers to hold company directors directly responsible and liable to a fine of up to £500,000. The Information Commissioner welcomed the news commenting that "Making directors responsible will stop them ducking away from fines by putting their company into liquidation. It will stop them leaving by the back door as the regulator comes through the front door."
Such powers may be introduced as early as spring 2017 and the move demonstrates a hardened stance from both the Government and the Information Commissioner towards ensuring protection of personal data.
The EU General Data Protection Regulation ("GDPR") will come into force automatically across the EU in May 2018, which is before the anticipated departure of the UK. As such, the GDPR will apply automatically in the UK from that date - and in any event it is widely believed that organisations in the UK will have to continue to abide by the GDPR or equivalent obligations following Brexit. The GDPR will further increase the enforcement powers as well as the obligations imposed on data controllers and data processors. We will be providing information on how you can get your organisation prepared for the GDPR over the coming weeks and months. If you have any queries in the meantime or if you would like to be kept informed of developments, please do not hesitate to contact David White on 01482 337209 or by email to firstname.lastname@example.org.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.