The Information Commissioner, Elizabeth Denham, has set a strong precedent by imposing a record £400,000 financial penalty on TalkTalk Telecom Group plc for inadequate data security structures. The decision represents a hard-line approach towards breaches of the principles of data protection. Undoubtedly, the intention of the Information Commissioner’s Office (ICO) was to send out a message to business owners everywhere that they need to engage seriously with the responsibilities prescribed by data security legislation.
Between 15 and 21 October 2015 a teenage hacker single-handedly accessed the personal data of 156,959 TalkTalk customers. This data largely consisted of names, addresses, and phone numbers. However, one of the driving forces behind the severity of the fine was that 15,656 customers had their bank account details and sort codes stolen.
The timeline of events goes back to 2009 when TalkTalk acquired Tiscali’s UK operations, which included internet pages found to still be accessible in 2015. This stagnant data was left in cyber space by TalkTalk and allowed the hacker to infiltrate the customer database and extract the personal data of thousands of individuals.
TalkTalk was found to have breached two data protection principles. The fifth principle, which disallows companies from holding data for longer than is necessary for its purposes, is a relatively clear rule that was blatantly breached by TalkTalk. The seventh principle, however, represents a greater challenge for business owners. This principle imposes a duty on companies to ensure that appropriate technical and organisational safeguards are put in place, and maintained, with a view to avoiding data being lost, damaged or stolen.
The ICO distinguished the TalkTalk case, and in doing so justified the level of the fiscal penalty in the following ways:
The ICO’s rationale, when deconstructed, can be applied to businesses of any operational size or nature. The key message is that reasonable steps must be taken, by every business owner, to prevent a data breach materialising. The standard expected must be contextualised by factors such as the resources of the business, any previous indicators of vulnerability to security breaches, and the type of the information at risk. In order to achieve the appropriate level of protection, every business owner should diligently consider their operations in the context of the data protection principles and have systems in place to ensure the existing safeguards are both present and sufficient.
When collecting personal data for the purposes of marketing, the following are key points for compliance:
When storing data, businesses should keep records of compliance to ensure they are prepared for an investigation by the ICO. These records should reflect an individual’s preferences regarding how they wish to be contacted and show when and how their consent was obtained. A business should ensure that people are able to “opt-out” of receiving marketing and keep a database of those who have opted out in the past.
This is where an individual or company has requested marketing material and allows a business to send this information, even if the individual or company has previously opted out.
Businesses can contact individuals or companies held on its database unless they have specified that they do not wish to receive direct marketing. It is important for businesses to maintain and check its opt-out list before sending marketing information.
Data protection is arguably one of the most significant challenges faced by businesses in modern times. However, it is traditionally viewed as falling exclusively within the remit of the IT department, as opposed to being a key issue around the boardroom table.
Whilst the minimum aim for all companies should be to comply with data protection principles, there is a reputational motivation for doing so. As a consequence of the 2015 cyber-attacks, TalkTalk reportedly lost 101,000 subscribers, together with £42 million. Whilst data protection compliance can appear to be a nuisance, a commitment to improving and maintaining existing safeguards can ensure the public and existing customers view a business as being synonymous with trust and security.
If you would like to discuss any of the points raised in this article, please contact Jonathan Waters
Call: 0191 232 8345