In the run up to the General Data Protection Regulation (GDPR) that comes into force in all EU Member States in May 2018, the Information Commissioner’s Office (ICO) has sent a strong message to industry boardrooms.
In the run up to the General Data Protection Regulation (GDPR) that comes into force in all EU Member States in May 2018, the Information Commissioner’s Office (ICO) has sent a strong message to industry boardrooms. The ICO has issued a record fine of £400,000 to TalkTalk for its failure to have in place the appropriate security measures to protect the personal data it was responsible for.
The breach (last year) involved a hacker accessing the personal data of over 150,000 TalkTalk customers including names, dates of birth, personal contact details, as well as bank details. The ICO’s investigation revealed an inexcusable failure by TalkTalk to put in place even the most basic cyber security measures, which could have ultimately prevented the attack. Surprising, it may seem, for a well resourced business. Ignorance and the unintentional nature of the breach proved to be no defence. TalkTalk was unaware that its software was outdated and that its systems were affected by a bug. The hacker used a common technique which TalkTalk had experienced twice that same year. In other words, TalkTalk could and should have been aware of the risks and have acted to prevent them.
Although the fine issued by the ICO is the highest ever to date (just short of the maximum fine of £500,000), it was inconsequential in comparison to the commercial and reputational damaged suffered by TalkTalk. The significant negative publicity combined with reported costs of £60 million, will undoubtedly have chilling consequences for TalkTalk’s future. The greatest repercussion, perhaps, is customer loyalty with the loss of over 100,000 customers. A separate criminal investigation is also on-going.
Penalties will soon be higher under the GDPR, with national regulators having the power to impose fines of up to the greater of €20 million or 4% of annual worldwide turnover. There will also be more onerous obligations imposed on businesses under the GDRP regime, despite Brexit looming; it seems likely that UK data protection legislation will in any event be the same as or mirror the GDPR and therefore the GDPR still needs to be complied with. For example, separately TalkTalk received a £1,000 fine for failing to report a further security breach within 24 hours, as is required for telecoms companies. Under the GDPR there will be a 72-hour data breach reporting obligation (save for some minor non-serious breaches) on businesses in all sectors, not just telecoms. Sound internal reporting structures within the business between the various stakeholders (including IT, legal and management) will be key to satisfy existing and especially future reporting obligations.
What does this mean/teach us?
You should ensure that your business has appropriate and effective security measures in place to protect personal data. In practice, this will involve an assessment of any existing data security measures and identifying and addressing those risks. It was lack of protectiveness, which exposed TalkTalk to severe financial and reputational consequences. Imbedding a risk awareness culture amongst a workforce, can be achieved by implementing and enforcing effective data protection policies and processes and procedures which should tie into the HR policies and allow for regular awareness training. This should also be supported by having a robust crisis response strategy in place ready to action in the event of a cyber attack.
As in this TalkTalk example, the breach may be instantaneous but overcoming and undoing the damage caused (if that is ever possible) is certainly not. The lesson being that businesses need to take a proactive, rather than reactive, stance to cyber security.
For more information, please contact Razia Begum on +44 (0)20 7382 8025.
Razia is a senior associate in the employment team. She specialises in providing commercial and practical advice to clients on employment and data protection legislation.