The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”) has publicly announced the imposition of a £400,000 ‘monetary penalty’ on the British telecommunications company and internet service provider, TalkTalk. The penalty was issued to TalkTalk in response to a cyber-attack in October 2015 which compromised the personal data of over 150,000 customers.
The penalty, imposed under statutory powers granted to the ICO by the Data Protection Act 1998 (“DPA”), is the largest to date, and falls just short of the maximum fine of £500,000 which the ICO is allowed to levy by law. It follows on the heels of a much smaller fixed penalty of £1,000 which was also imposed on TalkTalk by the ICO, in that case for failing to notify the ICO about the data breach within the timescales required for telecommunications companies by the Privacy and Electronic Communications Regulations 2003.
In the notice issued to TalkTalk with the more recent penalty, the ICO details the ways in which it found the company to be in contravention of its obligation under the DPA to “take appropriate technical and organisational measures against the unlawful or unauthorised processing of personal data”, also known as the seventh principle of the DPA.
Crucially, TalkTalk had not taken sufficient measures to ensure that the customer database which was targeted by the attack could not be accessed by a hacker performing an SQL injection attack, in which malicious statements in the SQL programming language can be used to control a web application’s database server. The ICO found that TalkTalk was operating a vulnerable and outdated database which was accessible via webpages related to its legacy Tiscali business.
In setting the level of the penalty, the ICO identified a number of aggravating factors which made the data breach particularly serious. These were:
- the number of individuals (data subjects) affected;
- the sensitivity of the data (in over 15,000 cases, the data included bank account numbers and sort codes);
- the potential consequences of the breach for the data subjects; and
- the fact that TalkTalk ought reasonably to have known that there was a risk a breach of this kind would occur.
However, the ICO did stop short of deciding that the contraventions of the DPA were ‘deliberate’.
This record penalty comes at a time of ever increasing awareness about the prevalence of cyber-attacks, and the consequential breaches of customer data. A recent Lloyd’s of London report revealed that, of the large European companies surveyed, 92% were aware of having experienced a data breach in the last five years. In 2016 alone, large scale breaches involving familiar names such as Yahoo, Inc., Sage Group plc and Seagate Technology plc have been in the headlines.
The penalty also arrives approximately 18 months ahead of a change in the law across the EU (including, it is anticipated, the UK) from the current data protection regime to the General Data Protection Regulation (“GDPR”). The GDPR will significantly increase enforcement risks for companies who breach data protection rules, including in respect of data breaches. It will allow for fines of up to the greater of EUR 20 million, or 4% of a company’s total worldwide annual turnover. It will also introduce a mandatory data breach reporting regime for all companies, whereby companies will be required to give notice to a supervisory authority about a data breach within 72 hours of becoming aware of the breach.
For telecommunications companies like TalkTalk, as well as other providers of critical infrastructure such as banks, utility companies and transport operators, the GDPR rules will sit alongside another new set of rules in the Network and Information Security Directive, which also include a data breach reporting regime, as well as provisions for information sharing and the setting of guidelines in respect of data breach management.
It is also interesting to note the GDPR contains specific indicators which supervisory authorities should take into account when setting the level of fines. These include:
- the number of data subjects affected and the level of damage suffered by them;
- the technical and organisational security measures which had been implemented;
- the degree of cooperation with the supervisory authority;
- the manner in which the infringement became known to the authority (i.e. was the authority notified?); and
- whether the infringement was either intentional or negligent.Some of these are very similar to the guidelines relied upon by the ICO in determining the level of TalkTalk’s penalty, leading to the conclusion that this data breach would have been met with a much higher penalty if it were to have occurred in October 2018, rather than 2015.