In October the ICO broke its own glass ceiling and issued its first fine of £400,000 – and surprise surprise, it’s Talk Talk.
Since 2010, the ICO has in theory had fining powers of up to £500,000. Although the regulator has never yet gone that high, the trend has been gradually upward year-on-year: both in terms of the upper limit, and the frequency of six-figure penalties. Already this year, in February, the ICO had broken its previous record by slapping a lead generation firm with a fine of £350,000 for making 46 million automated calls without consent – although as the company itself promptly wound up, as it was always likely to, that figure had the feel of an opening bid in the ICO’s negotiation with its liquidators.
As the forthcoming regulation (GDPR) substantially increases those fining powers, we can expect inflation to continue. Typically the ICO’s larger fines fall into one of two camps: mass direct marketing contraventions, and serious data breaches. Talk Talk, famously, suffered the latter in October 2015.
It is always worth emphasising that a “data breach” is not always going to be a breach of the Data Protection Act (DPA) – the relevant DPA principle (seven) determines that organisations take “appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction”. So the test of an unlawful contravention on the part of Talk Talk is not whether personal data was unlawfully accessed by a third party (themselves likely to have committed a criminal offence under the DPA), but whether in all the circumstances the measures Talk Talk had in place to prevent it were appropriate to the size and resources of the organisation – given (among other things) the state of the art in terms of technology, the people they employed, and the nature and quantity of the information they held.
The seriousness of that breach then becomes a question of capacity for harm or distress to individuals (e.g. if payment information is involved), the volume and sensitivity of the data, and aggravating factors based on the data controller’s systems, culture and response. In Talk Talk’s case, it was a flat fail on almost every count: in total 156,959 customers had personal data accessed, roughly 10% of whom gave up bank account details and sort codes. “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” scowled the new Information Commissioner Elizabeth Denham. The fact that hacking is wrong, she continued, “is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not.”
Specifically, Talk Talk had acquired an underlying customer database from Tiscali – remember them? – in 2009, and inherent an outdated and inherently insecure infrastructure. What is an “appropriate” level of security is a standard held against the state of the art, and in this case the system was itself so old that Talk Talk’s scanning software did not even “read” the vulnerable pages for threats. The bug was fixable, and though the company did not have corporate knowledge of the weakness, it should have done. The attack was not especially sophisticated (as widely reported at the time, when details of the attacker emerged as a lone teenager in a bedroom) and most effectively-governed modern systems would have defended it, even in smaller companies.
“We have taken action”, announced Denham. “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.”
It is easy to be cynical about the record fine: Talk Talk were a big scalp and an easy target, not just for hackers but also for the regulator. It may be observed that regulators, too under-resourced to chase down every lead, will often be led by the nose following a media story which demands action and wins headlines when the watchdog shows teeth: last year it was charity fundraising (after the deeply regrettable Olive Cook affair), and now – one year on from the attack – it is the most high-profile corporate hacking victim in the UK. The new Information Commissioner is good with a soundbite, and this was the perfect opportunity to introduce her to the media as a no-nonsense enforcer.
Should this case change companies’ policies? Yes, and no. Certainly it should be a wake-up call if the cyber threat was not already being taken seriously at your organisation – but in 2016, such an attitude would already be reckless and retrograde. At the same time, while a high-water mark, this fine it does not represent a paradigm shift in the ICO’s behaviour: this is consistent with its recent approach, even if the ICO’s assessment of the company’s accidental technological failures is, arguably, harsher than we have seen before. This is in part a reflection of the fact that, given its business, Talk Talk should have known – and acted – better (“In spite of its expertise and resources,” said Denham, “when it came to the basic principles of cyber-security, TalkTalk was found wanting.”). But given the accessibility of cheap tech and a very qualified IT labour market, there is little excuse for an organisation of any size to skimp on cyber security.
Whilst telecoms providers like Talk Talk are already obliged to report breaches to the ICO, under the current regime most data controllers are not legally obliged to report data breaches – though very often it is wise to do so, as the consequences may be worse if it comes to the ICO’s attention some other way (a complaint from a member of the public or, worse, media coverage). Organisations should not see the Talk Talk fine as a signal that they will be taken to the cleaners by the regulator for every data breach, nor seek to cover up when things go wrong – you may find the ICO sympathetic and keen play the “critical friend”, especially if you fall victim to a sophisticated cyber attack and promptly take all reasonable steps to assess and mitigate any possible damage. But it is a stark reminder of the extreme consequences of cultural failure, and the vulnerabilities of even the most tech-savvy companies to the growing cyber threat.
If you require further information on anything covered in this briefing please contact Owen O’Rorke (firstname.lastname@example.org; 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Data Protection page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2016