The Data Protection Commission (“DPC”) recently issued its final report in respect of its investigation of a data breach concerning Yahoo! (“Yahoo”, since renamed Oath).
The breach was reported in September 2016 however in the course of its investigation, the DPC established that the breach dated back to 2014 and involved the unauthorised copying and taking of material contained in approximately 500 million user accounts from Yahoo.
The data breach ranks as one of the largest breaches to impact EU citizens, affecting approximately 39 million European users. It was the largest breach which has ever been notified to and investigated by the DPC.
The findings made by the DPC include the following:
- Yahoo’s oversight of the data processing operations performed by its data processor did not meet the standard required by EU data protection law and as given effect or further effect in Irish law (“applicable data protection law”);
- Yahoo relied on global policies which defined the appropriate technical security and organisational measures implemented by Yahoo. Those policies did not adequately take into account Yahoo’s obligations under data protection law; and
- Yahoo did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law.
Based on its findings, the DPC has notified Yahoo that it is required to take specified and mandatory actions to bring its data processing into compliance with the applicable data protection law including reviewing and updating policies at regular defined intervals. The DPC has also directed Yahoo to update its data processing contracts and procedures associated with such contracts to comply with applicable data protection law. The DPC has further directed Yahoo to monitor any data processors which it engages for compliance with the applicable data protection law on an ongoing basis.
Luckily for Yahoo, the breach occurred well in advance of 25 May 2018 and therefore the new regime of hefty administrative fines did not apply given that Section 8 of the Data Protection Act 2018 confirms that the Data Protection Act 1988 applies to a contravention that occurred before May 25th 2018.
If the same event occurred now, the company would face fines of up to €20m or 4% of global turnover under new penalties introduced by the GDPR.