Data protection fines are not a new concept. Organisations have been responsible for upholding the law since the Data Protection Act 1998 and when a breach has taken place they need to deal with the consequences.
With the General Data Protection Regulation (GDPR) just around the corner these fines are set to escalate. Companies will be fined up to 20 million euro or 4% annual global turnover - whichever is higher.
Because of this we have pulled together some examples of when UK data breaches have occurred and the reason that they have been fined. In some instances these companies were actually preparing for GDPR compliance!
It is important to note when reading these examples that all of these are pre- GDPR fines. According to The Register fines under the new law will be 79 times higher! This would mean that our first example of Talk Talk would come to £59 million rather than £400,000!
In the transition, vulnerable web pages were overlooked and the appropriate security checks did not take place. This meant that hackers used a common technique known as SQL injection to access the data. The worst part of all of this is that this is a well understood technique and there are easy defences that can be made if the vulnerabilities are known about.
This type of attack happened not once but 3 times. Meaning that there were 2 previous opportunities for the problem to be found and rectified. The cyber attack saw 156,959 customers with their personal data compromised. This included information such as names, addresses, dates of birth and most included bank account and sort codes!
Using valid credentials, hackers were able to access personal data of over 3 million customers and 1000 employees. This was all because of out of date Wordpress Software. Data that was exposed included names, addresses, phone numbers, dates of birth, marital status and historical payment card details.
Looking at the stats it isn’t hard to understand why Carphone Warehouse were fined however the reason for such an extreme fine was due to the resources they had at their fingertips. The Information Commissioner Elizabeth Denham said, “A company as large, well resourced and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks”.
Example 3: Flybe £70,000
This is a case of consent.
In August 2016 Flybe were trying to update their customer information so that marketing preferences were up to date.
Here is where they went wrong. Within the email they also gave people a chance to enter a prize draw. This is technically marketing. So rather than the email being purely for updating preferences it then became a marketing email. This broke the Privacy and Electronic Communications Regulations (PECR).
Steve Eckersley, ICO Head of Enforcement commented that, “ In Flybe’s case, the company deliberately contacted people who had already opted out of emails from them...Businesses must understand they can’t break one law to get ready for another.”
Despite their good intentions Honda was fined £13,000. They commented that, “It is important to highlight that we have already taken steps to address the concerns that the ICO has raised, and we are pleased that the ICO has recognised that any breach of the PECR by Honda was not deliberate.”
Steve Eckersley, ICO Head of Enforcement explained, “Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law”
The General Data Protection Regulation (GDPR) is coming. All organisations need to prepare. This means constantly updating your security systems, having a plan for when a breach does occur and making sure that even your best efforts when trying to comply actually do fit inside all existing laws and the new law coming into force.
The truth of the matter is that you will be fined for non-compliance and while the pre-GDPR fines could have put some companies out of business, the size of the fines when GDPR kicks in will put people out of business.
For more information on GDPR fines and what to do next information can be found on the ICO website.
This guide is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.