Last week, the Information Commissioner's Office issued a record fine of £400,000 for a breach of the Data Protection Act 1998 by Talk Talk. The breach related to a lapse in security by Talk Talk which resulted in a cyber-attacker accessing 156,959 customers' personal data. The case highlights the need for organisations to know exactly what personal data they hold, where the data is stored and to ensure that the data is adequately secure.
In 2009, the UK arm of Tiscali was acquired by the Talk Talk Group. Tiscali's website included webpages which allowed access to a database containing the personal data of 156,959 Tiscali customers. The customers' data included their names, contact details and financial information. Talk Talk did not appear to appreciate that these webpages remained live following its acquisition of Tiscali.
To compound matters, the webpages used outdated software and the database was affected by a bug which undermined its security (but which could have been fixed).
In October 2015, the webpages were targeted by a cyber-attacker who managed to access the customers' data.
The ICO's decision
On 30 September the ICO found that Talk Talk:
- did not have in place appropriate security measures;
- was not aware that the webpages were still live;
- failed to remove or secure the webpages;
- was operating outdated software which needed to be fixed; and
- failed to take a proactive approach to security which could have discovered the vulnerabilities.
The ICO was satisfied that the breach was serious due to the number of individuals affected and due to the potential consequences of the breach. The ICO found that, for no good reason, Talk Talk had overlooked the need to ensure that it had robust security measures in place despite having the available resources.
Whilst the ICO found that Talk Talk's breach of the DPA was not deliberate, there had been a serious oversight and Talk Talk should have known of the risk.
When considering the level of the fine to impose, the ICO took into account the facts that (1) the breach was not a one off event or due to mere human error; (2) the personal data had been kept for longer than was necessary; and (3) Talk Talk had access to sufficient financial resources to pay the fine without undue financial hardship.
The fine imposed on Talk Talk is £50,000 more than the previous highest fine which was issued in February of this year against Prodial Limited. Prodial had been making automated calls relating to PPI claims and received a fine of £350,000. Over recent years the ICO has been significantly increasing both the quantity of the fines it issues as well as increasing the value of the individual fines.
Currently, the maximum fine which the ICO can issue for a data breach is £500,000 but this ceiling is set to rise to €20,000,000 (or 4% of an organisation's global annual turnover) when the General Data Protection Regulation replaces the DPA in May 2018.
Before the new Regulation comes into force, organisations should consider the security provisions they have in place to protect personal data, ensure data is not being held for longer than necessary and establish exactly what personal data it holds.
Bevan Brittan's Information Law Team specialise in helping organisations comply with their obligations under the DPA and also to prepare for the new requirements imposed by the General Data Protection Regulation. This includes drafting technical and organisational data protection procedures and policies, assisting data controllers with handling complex subject access requests and providing tailored staff training on data protection compliance.