Data protection fines are not a new concept. Organisations have been responsible for upholding the law since the Data Protection Act 1998 and when a breach has taken place they need to deal with the consequences.
With the General Data Protection Regulation (GDPR) just around the corner these fines are set to escalate. Companies will be fined up to 20 million euro or 4% annual global turnover - whichever is higher.
Because of this we have pulled together some examples of when UK data breaches have occurred and the reason that they have been fined. In some instances these companies were actually preparing for GDPR compliance!
It is important to note when reading these examples that all of these are pre- GDPR fines. According to The Register fines under the new law will be 79 times higher! This would mean that our first example of Talk Talk would come to £59 million rather than £400,000!
Example 1: TalkTalk £400,000
In 2009 TalkTalk acquired Tiscali’s UK operations. Little did they know at the time that this would lead to a huge data breach and a £400,000 fine.
In the transition, vulnerable web pages were overlooked and the appropriate security checks did not take place. This meant that hackers used a common technique known as SQL injection to access the data. The worst part of all of this is that this is a well understood technique and there are easy defences that can be made if the vulnerabilities are known about.
This type of attack happened not once but 3 times. Meaning that there were 2 previous opportunities for the problem to be found and rectified. The cyber attack saw 156,959 customers with their personal data compromised. This included information such as names, addresses, dates of birth and most included bank account and sort codes!
Example 2: Carphone Warehouse £400,000
In 2015 Carphone Warehouse saw themselves victims of a cyber attack. An attack that should not have happened.
Using valid credentials, hackers were able to access personal data of over 3 million customers and 1000 employees. This was all because of out of date Wordpress Software. Data that was exposed included names, addresses, phone numbers, dates of birth, marital status and historical payment card details.
Looking at the stats it isn’t hard to understand why Carphone Warehouse were fined however the reason for such an extreme fine was due to the resources they had at their fingertips. The Information Commissioner Elizabeth Denham said, “A company as large, well resourced and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks”.
Example 3: Flybe £70,000
This is a case of consent.
In August 2016 Flybe were trying to update their customer information so that marketing preferences were up to date.
Here is where they went wrong. Within the email they also gave people a chance to enter a prize draw. This is technically marketing. So rather than the email being purely for updating preferences it then became a marketing email. This broke the Privacy and Electronic Communications Regulations (PECR).
The next big No No was that Flybe sent the email to 3.3 million people who had already opted out. Even pre-GDPR every marketer knows that this is a cardinal sin.
Steve Eckersley, ICO Head of Enforcement commented that, “ In Flybe’s case, the company deliberately contacted people who had already opted out of emails from them...Businesses must understand they can’t break one law to get ready for another.”
Example 4: Honda £13,000
This is a similar case to Flybe.
Honda were trying to update customer’s marketing preferences however they did not have their consent in the first place. The customers had never given consent to receive this sort of information. However Honda did not class this as a marketing email but a customer service email. This is where the confusion lies.
Despite their good intentions Honda was fined £13,000. They commented that, “It is important to highlight that we have already taken steps to address the concerns that the ICO has raised, and we are pleased that the ICO has recognised that any breach of the PECR by Honda was not deliberate.”
Steve Eckersley, ICO Head of Enforcement explained, “Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law”
The General Data Protection Regulation (GDPR) is coming. All organisations need to prepare. This means constantly updating your security systems, having a plan for when a breach does occur and making sure that even your best efforts when trying to comply actually do fit inside all existing laws and the new law coming into force.
The truth of the matter is that you will be fined for non-compliance and while the pre-GDPR fines could have put some companies out of business, the size of the fines when GDPR kicks in will put people out of business.
For more information on GDPR fines and what to do next information can be found on the ICO website.
This guide is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.