In recent months, we have seen the Information Commissioner’s Office (ICO) issuing substantial fines for breach of the Data Protection Act 1998 (DPA). As a result, businesses need to sit up and take note.
On 24 July 2014, the ICO fined Think W3 Limited £150,000 for a serious breach of the DPA when in December 2012 a hacker stole over 1.1m credit and debit card records of holiday-makers from its subsidiary, Essential Travel Limited. The exact number of records stolen, a total of 1,163,996, is important. Not only it is quite a big number, but of those records 430,599 were identified as ‘live’ financial details whilst the remaining 733,397 records had expired. At first sight, you’d be forgiven for thinking that as 63% of the records had expired the actual damage was not as serious as it could have been. The opposite is true.
The investigation into the security lapse, which the ICO described as “staggering”, highlighted two key points of which all businesses operating online and processing personal data ought to take heed:
- Firstly, the fifth data protection principle requires businesses not to keep personal data for longer than is necessary. In this case, Essential Travel Limited had records going back to 2006 that it had done nothing to update and/or remove. The net result was that 733,397 of those records stolen from Essential Travel Limited should never have been available to the hacker in the first place because they should have been deleted from the servers;
- Secondly, the seventh data protection principle requires that businesses store personal data securely using “appropriate technical and organisational measures” to prevent unlawful access. The ICO investigation revealed that the holiday company, formerly part of the Thomas Cook Group, had failed to carry out any penetration testing and other security measures to assess the website’s vulnerability to cybercrime, since setting the system up in 2006.
With the ICO stepping up enforcement action and being more ready to issue fines (it fined Sony £250,000 back in 2013 after the Playstation scandal) and the EU Data Protection Regulation on the horizon, businesses must invest in security and adhere to their data protection obligations. Failure to do so potentially leaves them exposed to angry customers, unsympathetic regulators and the cyber criminals themselves.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.