ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

ICO fine on TalkTalk revealed

talktalk_logo_0

The ICO has revealed this week that it has fined communications company TalkTalk £400,000 (out of a maximum £500,000) for its poor web security following the theft of nearly 157,000 customer account details in October 2015.  As we reported in our blog of 13th May 2016, the company’s profits were deeply hit also as a direct result of the attack and the firm lost 101,000 subscribers in the first quarter after the attack.

The report by the ICO was scathing, with Information Commissioner Elizabeth Denham commenting, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”, she added.

In nearly 16,000 cases, the attacker was able to steal bank account details.  Additionally, legacy software dating back from when TalkTalk took over rival Tiscali was found to be out of date enabling vulnerable web pages to be attacked using SQL injection.  TalkTalk had been unaware of the problem, which could have been readily fixed if its security measures were kept up to date.

The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website.  Ms Denham added, “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.  Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue”.  These comments completely echo the advice Amicus ITS has consistently given to its customers and shared with the wider business community at its regional thought leadership cyber security roadshows.

The next Amicus ITS cyber security event will be held on 24th November 2016.  Further details will be posted on the main Amicus ITS events page

Warning from Information Commissioner – data security too lax in legal profession

With law firms the seventh most targeted business group according to the Cisco 2015 Annual Security Report, it is probably little surprise that the Information Commissioner, Christopher Graham, has warned the profession to improve its information security practices after 15 reported data breach incidents involving members of the industry in three months.

Christopher Graham commented: “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

The Law Society Gazette announced that the ICO investigated 173 UK law firms in 2014 for a variety of incidents that may have breached the Data Protection Act 1998 (DPA).

Solicitors and barristers hold a veritable treasure chest of data including: confidential business data, proprietary information and intellectual property, litigation strategy information, personally identifiable information, and other legally sensitive information.

The impact for the legal profession is serious.  The penalties for a law firm quite profound.  If found guilty of breaching the DPA, law firms can face fines of up to £500,000 from the ICO, as well as a damaging loss of credibility.

Graham warns about data security Principle 7 of the DPA, which states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. 

The ICO says he is mindful that there is “no one size fits all” solution, so “…[legal firms] should adopt a risk-based approach to deciding what level of security you need”, in order to mitigate the risk.

The efficacy of ISO 27001 and best-practice cyber security IS that necessary safeguard.  ISO27001 as an ISMS, wraps people, processes and technology with an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organisation actually faces.  This acts as the counterpoint to inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.

Responsible companies should certainly take heed of his advice and do more to protect their client data.   This may be in the form of gaining the certification directly, or alternatively, outsourcing to a reputable established IT Managed Service Provider which holds this this essential accreditation to properly consult and set about the necessary measures to formally protect clientele, finances and reputation.  What price reputation?

Information-Commissioners-Office

Carphone Warehouse slow to react to cyber breach

The latest corporate victim of a damaging cyber-attack is well known UK mobile phone company Carphone Warehouse (owned by Dixons Carphone).  Personal details of up to 2.4 million customers have been accessed, including:  names, addresses, dates of birth and bank details.   In addition, the phone company revealed that the encrypted credit card details of up to 90,000 may have been stolen.

The hacked IT division also reportedly operates websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, as well as providing services to TalkTalk Mobile, Talk Mobile and to the newly launched iD mobile network.

Increasingly we are seeing focused attacks on UK firms after a cyber-onslaught in America and this represents one of the biggest we have seen in the UK over the last few years.

For any business holding personal data, up to date and sophisticated antivirus software as well as intrusion detection systems need to be maintained and regularly reviewed to detect flaws.  We also need to remember that constant user training needs to be kept up to date as often unfortunately the weakest link is the human element in these systems.

For Carphone Warehouse, trying to maintain trust of its customers and allay fears about ID loss will be hard after this, where comments like the following are going viral (BBC news website):

  • “Firms like Carphone Warehouse need to be held accountable for security breaches”
  • “As a Talkmobile customer, I have just visited the Carphone Warehouse and Talkmobile websites to find out more. Guess what? I could find absolutely no mention of this on either website! It seems like they are trying to sweep this under the carpet. Not good enough – and we should have been told when it happened”.

With the value of ID going from £5-£10 for a set of credit card details to £20+ for a full set of personal details, this sort of security breach gets the tills ringing on the blackmarket, enabling criminals to
re-register and create false identities with corporate bodies or use victims’ details to take out loans for example.

If a customer believes they are affected by such a breach there are a few things they can do:

◾  Notify their bank and credit card company, so they can monitor activity on their account.
◾ Change passwords for an online account.
◾ Check accounts for any suspicious or unexpected activity.
◾ Be very, very wary about giving out personal information, bank details or passwords.
◾ Use credit check agencies like Experian or Equifax to check your credit rating to make sure no one has applied for credit in your name (although this means the victims are also being financially punished by needing to spend up to £15 per month just to keep an eye on their credit score).

Any delay in telling customers bad news only allows leaches and rumours to dominate in the press and this kills any positive steps Carphone Warehouse may have taken to stamp on, or curtail the fallout.

Carphone Warehouse did make moves to tell some people news of the breach, namely the Information Commissioner’s Office and the Met Police’s ‘Cyber Crime Unit’, although no formal allegation of a crime had been made and the Met had no reports of any fraudulent banking activity.  But it looks to have been too slow to warn those affected who it should have contacted as a priority – and this might be their commercial undoing next time a mobile phone contract is up for renewal.

carphone warehouse