The ICO sends out a warning at the expense of TalkTalk.

With the General Data Protection Regulation (known as "GDPR") racing towards us, the Information Commissioner's Office ("ICO") has sent out a strong message to businesses about data security.

Last year a hacker managed to access the personal data of more than150,000 TalkTalk customers. This data included names, dates of birth, contact details and bank account information. Following the breach, the ICO carried out a full investigation which revealed a serious failure by talkTalk to put in place even the most basic of cyber security measures to protect customer data. Had these measures been in place, they would have had a very strong chance of preventing the attack.

It seems amazing that a business of the size of TalkTalk with the level of resources at its disposal did not put in place protections to prevent a breach of this nature. However, ignorance and the unintentional nature of the breach proved to be an inadequate defence for TalkTalk. They argued that the business was unaware that it had been using software which was outdated or that they knew that a bug had affected the integrity of its systems. Unbelievably, the hacker used a common technique to break into TalkTalk's systems and it was a technique which TalkTalk had experienced twice before in the same year as the attack. As such, TalkTalk could and should have been aware of the risks and should have taken precautions against them.

The maximum fine which the ICO can impose in data breaches is currently £500,000.00. In this case, the ICO decided not to impose the maximum but instead set the fine for TalkTalk at £400,000.00. Whilst this is clearly a very significant sum, it pales into insignificance compared to the commercial and reputational damage suffered by TalkTalk due to its failure to properly look after its customers' personal data. This event resulted in a loss of over 100,000 TalkTalk customers and a separate criminal investigation is still ongoing.

Whilst the fine levied on TalkTalk was substantial, the GDPR will create a far greater financial risk to businesses which fail to protect personal data in their care. Under the new regime, fines may be imposed at a level of the greater of €20 million or 4% of turnover. The GDPR will also impose more onerous data protection obligations on businesses generally.

Watch this space.... 

By Daniel Gardener

Subject to our terms and conditions and copyright policy.