On 30 September 2016, the new Information Commissioner, Elizabeth Denham, flexed her regulatory muscle and issued a record breaking fine of £400,000 against telecoms giant TalkTalk Telecom Group plc (“TalkTalk”).
The fine related to the much publicised cyber attack suffered by the company between 15 and 21 October 2015, which resulted in the personal data of 156,959 customers being accessed.
The fine represents the highest amount ever enforced by the ICO against a data controller. However, this article is less concerned with the financial significance and is, instead, more interested with those matters revealed as part of the ICO investigation into TalkTalk.
- why TalkTalk was vulnerable to a cyber attack in the first place;
- why such vulnerabilities will be of even greater significance to large groups of companies like TalkTalk, when the General Data Protection regulation (“GDPR”) comes into force on 25 May 2018; and
- why it is important for businesses to conduct internal reviews of not only their own but their entire group’s privacy practices and compliance.
What went wrong?
As a data controller under the Data Protection Act 1998 (“DPA”), TalkTalk are under a legal obligation to ensure that “appropriate technical and organisational measures [are] taken against unauthorised or unlawful processing of personal data…”.
As noted, the cyber attack gave access to 156,959 customer records, including to their name, address, date of birth, phone number and email address. Amongst those affected, 15,656 also had their bank account details (including sort codes) accessed. Simply by virtue of such data being accessed in such quantities, TalkTalk plainly failed to comply with its legal obligations. However, the ICO took particular issue with TalkTalk’s failure to make even basic checks of affected systems prior to the breach.
In 2009 TalkTalk purchased the UK operations of Tiscali. As part of this acquisition, TalkTalk inherited certain infrastructure, which included webpages with underlying access to databases storing customer data. These webpages continued to be live in 2015 (during the period of the cyber attack). Further, the databases to which these webpages were linked, were operated by outdated software that was affected by a bug for which a patch (fix) had been created in 2012.
The existence of the webpages, outdated software and bug, meant that the perpetrator of the cyber attack was able to break through security and access the personal data by use of an SQL injection attack – a well-known (and easy to learn) method that should have been defended against.
The ICO investigation found that TalkTalk had failed to “undertake appropriate proactive monitoring activities to discover [such] vulnerabilities”, meaning it:
- was not aware of the existence of the webpages;
- failed to “remove the webpages or ensure that they were otherwise made secure”; and
- had not updated its database operating software or applied the readily available fix to remove the bug in the outdated software.
In essence, TalkTalk suffered a significant breach (and has subsequently received the highest fine to date) because it did not conduct a proper assessment of (or exercise the appropriate control over) its own group’s security practices and compliance with data protection laws.
In summarising the enforcement, the Commissioner noted that:
“Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information.”
The impact of the ICO decision on civil claims
The ICO fine adds to the already well-publicised multi-million pound losses suffered by TalkTalk as a result of the breach, including remedial costs, business interruption, loss of customers and voluntary consumer compensation.
In addition, the ICO’s investigation and conclusions may yet be used in any group litigation against the organisation and, defending any such action, there will be questions over the extent to which TalkTalk can assert legal privilege in respect of its own internal investigation.
The GDPR looms
Looking beyond the consequences for TalkTalk, the ICO investigation is particularly illuminating in light of the GDPR because the breach related to only a very small portion of TalkTalk’s operations, yet its effects have been substantial.
Under the GDPR, supervisory authorities in the EU (like the ICO) will have increased enforcement powers, enabling them to issue fines of up to 4% of worldwide annual turnover (2% in relation to data security breaches). Unlike the position under the DPA, these fines will not be levied against the offending entity but instead against the relevant ‘undertaking’.
What is meant by an ‘undertaking’ has not been directly defined in the GDPR but the preamble to the regulation specifically references the interpretation in Articles 101 and 102 of the Treaty for the Functioning of the European Union.
Without taking a ‘deep dive’ into this Treaty or the interpretation presented within it and in case law, the basic position appears to be that, in the event of a breach of the GDPR committed by a single company or branch, the relevant controlling company (which could be the ultimate holding company) might be liable to the resultant fine (up to 2% or 4% of worldwide annual turnover).
For example, a company with a small turnover per annum suffers a security breach due to a failure to properly secure its systems. Its holding company has a much larger turnover per annum and demonstrates the necessary level of control to be regarded as part of the offending ‘undertaking’. The ICO issues a fine against the entire undertaking for 2% of worldwide annual turnover – because the holding company is part of the undertaking, this fine represents a sum equivalent to 2% of the much larger annual turnover.
Clearly, this is a change in law that is of potentially immense importance and highlights the need for companies to conduct proper internal assessments of their own and (crucially) their group’s security measures and privacy compliance. Of course regulator guidance may provide more clarity on how the interpretation of an undertaking will be applied in practice, but this top down approach to privacy compliance is certainly backed-up by the Commissioner’s comments in relation to the TalkTalk matter:
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.”
If the ICO fine in this case is not warning enough, the GDPR is little more than 18 months away, so businesses should be planning and undertaking the conduct of appropriate internal reviews now so that they can make the necessary changes to ensure data privacy compliance.