eBay has been the victim of what has been described as the “biggest ever cyber-attack in history” with 233 million customers worldwide being potentially affected. Although customers’ passwords remain safely encrypted, personal information including names, addresses and dates of birth have been hacked. In the wake of this news, it has been confirmed that the Information Commissioner is working with European data authorities to take action against eBay, alongside the various investigations already underway in the US.
eBay, a massive multi-national business, has customers across the globe and will have data passing through servers in a number of jurisdictions. Following the Court of Justice of the European Union’s decision last week with respect to the application of data protection principles to Google’s search engine, it is clear that the domestic data protection law will apply to a global internet business with a corporate presence and customers within an EU member state. The Information Commissioner should not have difficulty in establishing jurisdiction to take action against eBay given its reported 14 million active customers in the UK.
Where hacking has taken place of electronic systems, the Information Commissioner faces the sometimes difficult challenge of assessing whether a data controller failed to have “appropriate technical and organisational measures” in place to safeguard against security breaches and therefore breached seventh data protection principle. However, in this case, his task may be somewhat easier. Given eBay’s size and resources, and considering the vast amounts of personal data within its possession, the Information Commissioner may very quickly conclude that the only “appropriate” approach to security would be to maintain the very best and most update to date security systems available.
If eBay is found to have fallen short of the required standard, it is open to the Information Commissioner to fine the business up to £500,000. The Information Commissioner has demonstrated his willingness to impose tough fines when data is lost or stolen time and time again - for example last year Sony was fined £250,000 for not maintaining up to date security software leading to the hacking of personal data of millions of customers, which in this case included passwords and card details. In assessing the level of penalty, the Information Commissioner is also entitled to weigh up the effect of eBay’s somewhat belated announcement of the security breach. It has been reported that the attack occurred in late February or early March and customers were only informed of the matter some two weeks later. It is not known at the moment whether this delay in taking caused any further risk to those whose personal data is in the hands of the hackers.
However, a fine of even £500,000 may be considered to have little deterrent impact considering the size of internet giants such as eBay. This issue has been recognised by EU legislators who have included provision within the draft Data Protection Regulation for fines to up to 2% of a company’s annual turnover for those who breach data principles. In the case of eBay, it would be safe to assume that a fine calculated on this basis would be substantially more than £500,000.
In the meantime, individuals whose personal data has been stolen can make a claim under section 13 of the Data Protection Act 1998 for financial compensation from eBay where they have suffered damage or distress due to a breach of data protection requirements. Although it is a defence for EBay to demonstrate that it “had taken such care as in all the circumstances was reasonably required” to keep the personal data of individual safe, if the Information Commissioner makes a finding that eBay has breached the seventh data protection principle, it will be difficult for it to rely on this defence in responding to individual claims for compensation.
If it is found that eBay has been irresponsible with the vast quantity of personal data in its possession, it can be expected to be held very publicly to account. However, whilst data protection law will only get tougher in the coming years, a fine issued by the Information Commissioner may be eclipsed in impact by the volume of compensation claims from the real victims of the eBay hacking.