Data security breaches hit the headlines in 2018 for Uber, Facebook and Bupa, to name just a few. Some of the fines imposed hit the maximum of £500,000 but the ICO has been quick to point out that, due to the timing of the breaches concerned, these cases were dealt with under the old Data Protection Act 1998 (DPA 1998) rather than the new General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018). As new cases start to filter through, fines are likely to increase significantly, as the maximum level fine under the GDPR is £17 million or 4% of global turnover (whichever is higher).
Recent enforcement action for data security incidents
A summary of recent data security incidents and levels of fines imposed by the ICO (albeit under the DPA 1998) are set out in the table below.
|
Company |
Details of breach |
Consequences
|
Fine |
Additional comments |
|
Uber |
Failure to adequately protect personal data during a cyber-attack. |
2.7 million UK customer records were accessed and downloaded by attackers from cloud based storage, operated by Uber’s US parent company. This included names, email addresses and phone numbers as well as 82,000 drivers’ records of journeys and payments. |
£385,000 |
Customers and drivers were not told about the incident for more than a year and, instead, Uber paid attackers $100,000 to destroy the data. The ICO investigation noted that, although there was no legal duty at the time to report data breaches, Uber’s poor practices and conduct were likely to have compounded the distress of those affected. Paying attackers and keeping quiet was not an appropriate response, according to the ICO. |
|
Facebook Ireland Ltd |
Unlawful processing by allowing third parties to access users’ personal data without sufficiently clear consent; failure to keep data secure by not making suitable checks on developers using the platform. |
Facebook data of up to 87 million people worldwide ‘harvested’ without their knowledge; and at least one million UK users’ personal data was among the ‘harvested’ data and placed at risk of misuse. |
£500,000 |
The ICO stated that “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR.” |
|
Heathrow Airport Limited |
Failure to ensure personal data held on its network was properly secured; employee lost a USB stick which was not encrypted or password protected. |
Small amount of personal and sensitive data disclosed along with a training video containing names, dates of birth, passport numbers of 10 individuals and details of aviation security personnel; data disclosed to a national newspaper by a member of the public who found the USB. |
£120,000 |
The ICO found that there was a “…catalogue of shortcomings in corporate standards, training and vision”. An ICO investigation noted that only 2% of the 6,500-strong workforce had received data protection training. Other concerns included widespread use of removable media in contravention of the company’s own policies and guidance.
|
|
Bupa Insurance Services |
Failure to keep personal data secure (e.g. failure to detect unusual activity such as bulk extraction of data). |
Employee extracted (by sending bulk data to a personal email) and offered to sell personal data (including name, date of birth, email address and nationality) of 547,000 Bupa Global customers on ‘the dark web’. |
£175,000 |
The ICO investigation found “material inadequacies” in the way Bupa safeguarded personal data (e.g. failure to monitor a customer database activity log; being unaware of and unable to detect unusual activity). These inadequacies were systemic and appeared to go unchecked for a long time without any satisfactory explanation. |
|
Equifax Ltd |
Failure to adequately protect personal data during a cyber-attack; UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc. (which was processing personal data on its behalf) was protecting the information; other data protection breaches included poor retention practices and lack of a legal basis for international transfers of personal data. |
Cyber-attack on credit reference company’s information systems in the US affected up to 15 million UK citizens’ data including names, dates of birth, addresses, passwords, driving licence and financial details. |
£500,000 |
The ICO made it clear that it was “…determined to look after UK citizens’ information wherever it is held.” The ICO investigation found that the US department of Homeland Security had already warned Equifax Inc. about a critical vulnerability but sufficient steps were not taken to address it. There were also significant problems with data retention and audit procedures. Measures that should have been in place to manage personal information were inadequate and ineffective. |
Expect ‘significantly higher’ fines in future
In all of the above cases, the timing of the various breaches meant that they were dealt with under the old DPA 1998 data protection regime rather than the GDPR and DPA 2018. As a result, the maximum penalty that could be imposed was £500,000. However, as new cases are decided under the GDPR regime, the ICO has made it clear that fines will be significantly higher.
In October 2018, the ICO issued a statement explaining that its investigation into a cyber-attack affecting British Airways’ customers and credit card payments via the BA website remains ongoing. Media reports have suggested that if British Airways is found to be in breach of current data protection laws for failing to provide adequate protection against the cyber-attack, it could face fines of up to £500 million (based on the upper limit of GDPR fines being £17 million or 4% of global turnover (whichever is higher)).
ICO highlights importance of good policies and training
The above cases highlight the importance of ensuring that adequate data security measures are in place. It’s not enough to just pay lip-service to compliance. ICO investigations have given careful consideration to whether security procedures are not only in place but also properly observed. In the Heathrow Airport case, for example, the ICO highlighted not only the lack of adherence to company policies on data protection but also the fact that only 2% of the 6,500-strong workforce had received data protection training.
The cases involving Uber and Equifax also serve to demonstrate that UK companies can’t necessarily sidestep data protection penalties just because a cyber-attack is carried out overseas or against the information systems of another group company.
How EEF can help
Our hugely popular GDPR seminar series continues throughout January 2019. The latest instalment, Practical GDPR for HR professionals: what will change in your day job?, explains how the GDPR and DPA 2018 will affect everyday HR activities and provides detailed guidance on responding to Subject Access Requests and reporting personal data protection breaches.
HR Handbook review
Start 2019 with up to the minute policies and procedures - ask your EEF advisor about our HR handbook review and re-new service. We’ll future proof your employment handbook to take into account the latest developments (including GDPR).
For more information, speak to your EEF adviser, email [email protected] or call 0808 168 5874.