That was the view taken by the UK Information Commissioner’s Office (ICO) in its recent decision to issue a monetary penalty of £100,000 against TalkTalk for failing to take appropriate steps to protect customers’ personal data from scammers. This follows the record £400,000 penalty it received in October 2016, after an attacker exploited vulnerabilities in the company’s web pages.
Although the fines have been significant; the amount could be dwarfed by fines potentially issued by the ICO once the GDPR comes into force next May (it could be up to €20m or four per cent of annual global turnover for the most serious data breaches).
The most recent of the two cases concerned customer personal data accessable via a web-based portal. In 2002, TalkTalk gave access to the portal to a third party IT service provider (Wipro Limited), which TalkTalk outsourced customer service functions to. In the autumn of 2014, it became apparent three Wipro employees had used the portal to gain unauthorised access to the personal data of up to 21,000 people.
Following an investigation, the ICO found the company had failed to take “appropriate technical and organisational measures” to protect the personal data “against unauthorised or unlawful processing” in breach of the seventh data protection principle (set out in Schedule 1 to the Data Protection Act 1998).
In particular, the ICO criticised TalkTalk for providing 40 Wipro employees with access to the personal data of between 25,000 to 50,000 customers through the portal, with no controls in place to limit whose accounts were worked on. In addition, Wipro staff were able to: log in from any computer (not only from work devices); carry out “wildcard” searches (for example, by entering “A*” into the surname field, which would then return all surnames beginning with A); view up to 500 customer records at a time; and export data from the portal to separate applications and files.
So the ICO determined that TalkTalk had put customer personal data at risk by permitting “unjustifiably wide-ranging access” to that data by external agents over a long period of time; although there is no evidence anything was actually passed to fraudsters or other third parties as a result of the inadequacies.
Although the most recent case does not involve a cyber-attack, the ICO’s decision makes clear that it expects organisations to be aware of the increasing prevalence of cyber attacks, scams and attempted fraud and to take appropriate steps to protect personal data in light of such threats.
The case should serve as a warning to all organisations of the importance of ensuring the security of personal data. This should include: (i) reviewing existing physical and IT security measures and considering whether they require improvement; (ii) on-going monitoring; (iii) restricting access to personal data; (iv) checks to ensure the reliability of those who have access; and (v) limit access to data to what is strictly necessary in order to carry out the relevant processing.
Data controllers should also have appropriate contracts in place with their data processors, to ensure they have adequate contractual protections against data breaches, including contractual monitoring and audit rights, indemnities and termination rights.
Those who hold sensitive or large amounts of customer data and/or who rely heavily on IT systems and websites may also want to consider specialised cyber insurance policies to supplement existing insurance arrangements.
Failure to take such steps, despite the obvious risk, could make you culpable in the event of a data breach and potentially subject the company to a significant fine, even if the breach is the result of rogue employees or a criminal hacker. As information commissioner Elizabeth Denham, said, TalkTalk “should have known better and should have put customers first”.
Michelle Morgan is an associate in the commercial team of Hill Dickinson LLP