The Only Way Is Up – Fining Powers on the Increase for Data Protection Breaches

Julianna Tolan
Julianna Tolan

Last year saw the Information Commissioner’s Office impose record fines for data protection breaches, totalling £2,155,500.

TalkTalk was on the receiving end of the greatest financial penalty in ICO history for a highly publicised cyber-attack that claimed more than 150,000 of its customers’ personal details. The regulator considered these security failings sufficiently grave to issue the telecoms company with a £400,000 fine, close to its maximum fining powers of £500,000.

Other recipients of financial penalties from the ICO in 2016 included EE Limited, Hampshire County Council and David Lammy MP. In the latter case, Mr Lammy was accused of instigating 35,629 calls over two days, playing a recorded message that urged people to back his campaign to be named the Labour party candidate for London Mayor. This conduct resulted in a £5,000 fine for nuisance calls.

Of course, the ICO has a host of other enforcement tools at its disposal, such as issuing undertakings, serving enforcement notices and in the most serious cases, commencing a criminal prosecution against individuals or companies who contravene the Data Protection Act.

But for bottom-line conscious business, monetary penalties have historically been an effective means of compelling compliance with good business practice.

That ought to be the case now more than ever, as the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, which will radically increase the maximum fines that can be imposed on UK businesses from £500,000 to an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

These previously unprecedented fining powers mean that for many companies, the outcome of a serious data protection breach could conceivably result in insolvency or even closure of the business.

Given the profound detriment that data losses have been shown to cause to consumers over the past 12 months, it is perhaps timely that the ICO is finally catching up with other UK regulators. Enforcement authorities in the fields of health and safety, competition and environmental protection have long possessed the power to impose exorbitant fines capable of closing errant businesses down.

With the GDPR on the horizon, businesses should now seize the opportunity to monitor and review their compliance with data protection laws, including the effectiveness of internal policies and procedures. After all, the consequences of failing to do so could be costly.

Julianna Tolan is an Employed Barrister in the Dispute Resolution team at Fox Williams LLP acting for commercial and financial services clients in respect of contentious and non-contentious regulatory issues. Julianna can be contacted at jtolan@foxwilliams.com

Data, duties and directors

Jessica Calvert
Jessica Calvert

The ICO blog recently reported that of the £2.7 million worth of fines issued in relation to nuisance calls since April 2015, only 6 of the 27 fines issued have been paid, leaving a total of £2.26 million penalties unpaid. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Privacy Regulations”) contain powers for the ICO to fine companies which make marketing calls and texts, where the recipients have not consented to be contacted.

Recent fines that have been issued include:

  • a £70,000 fine to London based Nouveau Finance Limited, a company that sent 2.2 million spam text messages without consent from the recipients;
  • a £30,000 to Assist Law, a will writing firm in Weston-Super-Mare for making unsolicited marketing calls to persons registered with the Telephone Preference Service (TPS) for over a year.

Many of the companies fined however have so far avoided paying the fines by filing for insolvency. As the regulator put it “leaving by the back door as the regulator comes through the front door”.

At present the ICO can issue fines of up to £500,000 where there has been a serious contravention. These can be imposed on any legal person (e.g. a business or charity, or an individual), however there is no specific right to fine the directors responsible for such companies. A change to legislation is expected in Spring 2017 which will introduce fines of up to £500,000 for directors of nuisance marketing firms, and hopefully break the cycle whereby the same directors continue to operate under a new company.

The change in law should also be noted by all directors that fall within the remit of the Data Protection Act 1998 (“DPA”), if not the Privacy Regulations, as there is a clear move being made to seek to penalise those accountable for breaches relating to personal data. Points worth noting are:

  • The ICO have the power to fine directors for breaches of the Data Protection Act where breach can be shown to have occurred with a director’s consent, connivance or neglect;
  • Under the GDPR fines of value up to 4% of annual worldwide turnover, or 20 million euros, whichever is greater, will be possible;
  • When the GDPR is enacted data processors as well as data controllers will also be caught; and
  • Breach of general director duties to act in good faith, in the best interests of the company, and to exercise reasonable care, skill and diligence could result in an action for damages, termination of a directorship, or disqualification as a director.

Jessica Calvert is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jcalvert@foxwilliams.com

ICO reports its own data security breaches

Josey BrightAn article in the Evening Standard last week revealed that the ICO has investigated itself in a number of complaints made against it since 2013, at least 11 of which have been upheld.

Seven of the complaints resulted in the ICO being ordered to take action to prevent further breaches, two with compliance advice being given, and two with concerns being raised.

There were also at least three occasions where the ICO’s own staff reported themselves to the Information Commissioner for accidental breaches of individuals’ personal data, although the Information Commissioner ruled that there was “no detriment” to anyone arising from the self-reported breaches.

The ICO’s internal investigations were revealed following a Freedom of Information request made by Liberal Democrat peer, Lord Paddick. In a letter to Lord Paddick’s office, the ICO’s lead information access officer, Ian Goddard, said: “We oversee the Data Protection Act 1998 but we also have to comply with its requirements. This means that on occasion we will have to self-report to ourselves in our capacity as a regulator. It also means that individuals can raise complaints about us, to us, in our capacity as a regulator.”

The article serves as a reminder that, from 25 May 2018, when the General Data Protection Regulation (“GDPR”) comes into force, it will be mandatory to report data breaches. Currently, under the Data Protection Act, it is not compulsory for data controllers (excluding telco’s) to report breaches of data security to the ICO although ICO non-binding guidance recommends that serious breaches should be brought to its attention.

Under the GDPR, organisations will be required to notify the ICO of a data breach without undue delay and where feasible, within 72 hours. In addition, data processors will be required to notify data controllers of a data breach. Failure to report a breach could result in a fine, as well as a fine for the data breach itself. With the maximum fines under the GDPR raised to the higher of 4% of annual worldwide turnover or 20 million euros, organisations should ensure that they have the right procedures in place to detect, report and investigate a personal data breach.

Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com

ICO: “Cyber security is not an IT issue, it is a boardroom issue”

Josey BrightTalk Talk

On 5 October 2016, Talk Talk was issued with a £400,000 fine – the highest fine yet from the Information Commissioner’s Office (“ICO”) – for breach of its security obligations under the Data Protection Act 1998 (“DPA”).

Between 15 and 21 October 2015 a hacker took advantage of technical weaknesses in Talk Talk’s systems and succeeded in accessing the personal data of 156,959 customers. In 15,656 cases, the attacker also had access to bank details and sort codes.

The Information Commissioner, Elizabeth Denham, said that the “fine acts as a warning that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.”

In addition to the fine, the costs resulting from Talk Talk’s data security breach amounted to £60 million.

Data Security Principle under the DPA

The seventh data protection principle in the DPA requires that personal information must be kept secure. It says that: “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The DPA is not prescriptive about what measure must be taken and there is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, and businesses should adopt a risk-based approach to deciding what level of security they need.

Preventative measures – lessons learnt from the ICO’s Talk Talk investigation

The ICO found inadequacies in Talk Talk’s security measures were the result of “serious oversight” rather than an deliberate intent to ignore or bypass the provisions of the DPA. The cyber-attack could have been prevented if the company had taken basic technical and security measures. In particular, the ICO identified the following issues:

  • Legacy Pages: the data was part of an underlying customer database that Talk Talk inherited when it acquired Tiscali in 2009. These pages were vulnerable and Talk Talk had failed to identify and remove them or make them secure.
  • Outdated Software: Talk Talk was not aware the database software was outdated. It did not know that the software had a bug or that a remedy for the bug had been publicised in 2012 and was easily available.
  • Defences: The hacker used a common technique called SQL injection to which defences exist. Talk Talk ought to have known that there was a risk to the data from this technique and ought to have implemented sufficient defences.
  • Lack of Monitoring: Talk Talk did not proactively monitor its systems to discover vulnerabilities.

The investigation found Talk Talk was unaware of two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 and consequently Talk Talk’s contravention of the seventh data protection principle was ongoing until it took remedial action on 21 October 2015.

The ICO considered the breach serious due to the number of data subjects, the nature of personal data and the potential consequences from the breach – the data could be used for fraudulent purposes.

Other notable cyber attacks

The Talk Talk breach is one of several security breaches to have come to light  in recent months. The size and scale of these security breaches illustrates the Commissioner’s statement that companies urgently need to take stock of their cyber security arrangements.

  • Myspace: In June this year, Myspace discovered 360 million passwords and email addresses had been stolen in a hack that occurred in 2013 and these details were discovered listed on the dark web.
  •  Yahoo: In August, Yahoo discovered that at least 500 million of its accounts had been hacked in 2014. Yahoo only discovered the 2014 breach because it was investigating reports of a separate breach. The theft is the world’s biggest cyber breach so far. The data stolen included names, email addresses, telephone numbers, dates of birth and encrypted passwords.
  •  Tesco Bank: Early this month, Tesco Bank suffered a serious cyber-attack which affected 40,000 customer accounts. Money was stolen from 9,000 current accounts, forcing Tesco Bank to suspend all online transactions. Its security arrangements are currently being investigated by a number of regulatory bodies including the National Crime Agency and the ICO. However, a number of cyber security experts have indicated that its software was vulnerable and was being targeted by cyber criminals for months. Notwithstanding any fines Tesco Bank may be required to pay, it has already spent £2.5 million compensating customers for their losses. 

Practical steps for securing data

By being vigilant and proactive, companies ought to be able prevent significant security breaches and the regulatory fines and compensation payments incurred, not to mention the stigma that such breaches attract.

The following practical steps should be considered to enhance data security:

  • Updates Policy: it is good practice to have an updates policy for software which is used to process personal data and to ensure all software components are included in the policy (e.g. operating systems, applications, libraries and development frameworks);
  • Testing: regularly test and monitor online systems and software for common threats such as SQL injections;
  • Unnecessary Services: completely decommission any service that is not necessary and periodically review remaining services; and
  • Encryption: use encryption schemes to secure the communication of data across the internet.

Higher fines under the General Data Protection Regulation (“GDPR”)

The maximum fine the ICO is currently able to award under the DPA is £500,000. The new General Data Protection Regulation (GDPR), which will have effect from May 2018, offers the ICO the potential to fine up to 20,000,000 EUR or up to 4% of annual worldwide turnover, whichever is the higher.

That’s 20m reasons for companies to review their data security policies and practices.


Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com

Facebook, WhatsApp and mission creep

Emma RoakeGerman regulators have slapped down WhatsApp’s move to share its users’ data with parent company Facebook, calling it an “infringement of national data protection law”.

Despite Facebook and WhatsApp publicly committing in 2014 (when Facebook bought WhatsApp) that users’ data would not be shared between the two companies, recent changes to WhatsApp’s terms and conditions have reversed this position.  The new terms and conditions state that user data (including the mobile number and device information of the WhatsApp user) will be shared with Facebook, including for targeted advertising purposes.  The terms and conditions automatically opt in users to the data-sharing arrangement.

However, in the last few days of September, the Hamburg data protection commissioner issued an administrative order which:

  • prohibits Facebook from collecting and storing the data of German WhatsApp users; and
  • compels Facebook to destroy any data which has already been collected from German WhatsApp users.

The Hamburg data protection commissioner has said that the WhatsApp user’s consent needs to be obtained to the data-sharing for it to be lawful, and this had not happened.

Facebook is appealing the decision.

The changes to WhatsApp’s terms and conditions have caused widespread controversy since being announced, and have caused concern with data regulators around the world.

The UK’s data protection regulator (the ICO) has announced that it is investigating the data-sharing on behalf of WhatsApp users in the UK.  Elizabeth Denham (the new information commissioner) commented in an interview with BBC’s Radio 4 that there was a “lot of anger” amongst the UK’s WhatsApp users.  Ms Denham also addressed the WhatsApp / Facebook data-sharing arrangement in her first speech as information commissioner on 29 September 2016, commenting that “all of this is about transparency and individual control”.

Transparency and trust were the central themes of Ms Denham’s first speech, where she explained that her fundamental objective as information commissioner was to build a culture of data confidence in the UK.  She noted her concern that an ICO survey from earlier in the year had shown that only 1 out of every 4 adults trust businesses with their personal data.

Ms Denham made clear that the ICO would pick and choose its investigations carefully, making sure that those investigations were relevant to the public.  Unsurprisingly, she said that technology “is already at the forefront” of most of the ICO’s major investigations.  For example, in addition to investigating the change in WhatsApp terms and conditions, the ICO has in the last few weeks asked questions about the major Yahoo data breach.

The ICO has indicated that it will be putting out an update soon on its WhatsApp/Facebook investigation.  It will be interesting to see whether the ICO follows the approach of the German regulators.

Emma Roake is a senior associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at eroake@foxwilliams.com