Security breaches always get a lot of press attention but to date there haven’t been that many large fines imposed by the Information Commissioner’s Office (the “ICO”) in the UK. However, last week saw a big one (although some have questioned whether it is big enough) with TalkTalk being given a record GBP400,000 penalty due to a violation of the DPA’s seventh principle on security. This comes on the back of the GBP1,000 fine a couple of weeks ago in respect of TalkTalk’s failure to give notice to the regulator in due time, which we reported on: http://datonomy.eu/2016/09/13/ico-wins-tiny-penalty-but-significant-principle-in-talktalk-security-breach-saga/
This case relates to cyber-attacks perpetrated against TalkTalk between 15 and 21 October 2015 exploiting vulnerabilities in certain webpages. Personal data of 156,959 customers including financial information was impacted with the attacker accessing the personal data of all of the customers along with bank account numbers and sort code of 15,656.
When imposing this fine the ICO held that TalkTalk did not have in place appropriate technical and organisational measures for ensuring that the personal data held on the database could be not accessed. In particular, TalkTalk was not (but should have been) aware that Tiscali’s infrastructure (from which the problems originated, TalkTalk having acquired Tiscali) included webpages that were available via the internet with access to the database and it failed to remove the webpages or ensure that they were otherwise secure. The ICO pointed out that TalkTalk was operating an outdated database software that was affected for which a fix had been made available over 3 and half years before the attack took place and that it failed to take appropriate proactive monitoring activities to discover such vulnerabilities.
What useful takeaways are there for you as a company from this decision?
- It clarifies what the ICO takes into account in determining whether a breach is “serious” namely here the number of data subjects involved, the nature of the personal data that was held in the database and the potential consequences.
- It isn’t necessary for there to be deliberate intent to ignore or bypass the provisions of the DPA, fines of this magnitude will also be imposed where there is a serious oversight.
- Technical precautions are important. Here the ICO held that the issue was foreseeable and TalkTalk should have taken steps including removing the webpages, ensuring adequate testing and monitoring and applied suitable anti-contravention measures to the database software either by applying a bug fix or by upgrading the software to a more recent version that was unaffected by the bug in question. Businesses must therefore look to constantly monitor the market for hardware and software upgrades that could protect their systems and ensure that appropriate technical and organisational measures are in place in order to securely protect personal data.
- Companies handling personal data must be well informed concerning security practices, and a failure to implement sensible practice and software updates, could be interpreted as a “foreseeability” contravention and hence trigger DPA liabilities.