Privacy Law Blog

TalkTalk handed record fine in data protection breach in the UK

TalkTalk, a major UK telecoms company, has been fined £400,000 for a data breach after they were hacked. This is a record fine given by the ICO (the UK’s data protection authority).  Significantly the fine was imposed after a change of leadership this summer when Elizabeth Denham (previously the Information Commissioner in the Canadian province of British Columbia) replaced Christopher Graham as the Information Commissioner.

This record fine followed an in-depth investigation by the ICO into an attack by hackers on TalkTalk’s systems in October 2015. The hackers obtained the details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the hackers also gained  access to bank account details and sort codes. The maximum fine the ICO can require companies to pay is £500,000.

The attack exploited vulnerabilities in webpages acquired by TalkTalk from Tiscali in 2009 to access a database. In handing out the fine, the ICO held that there had been elementary errors in TalkTalk’s efforts to safeguard personal data including:

  • As part of the Tiscali acquisition, TalkTalk was unaware of webpages it had acquired;
  • A bug in the database software, for which a fix was available, remained unfixed (allowing the hackers to bypass the database access restrictions);
  • Two previous attacks to the same webpages in July and September 2015  should have alerted TalkTalk to the vulnerabilities in the webpages that were hacked;
  • The database was outdated and could have been upgraded to a newer version unaffected by the bug in question; and
  • TalkTalk failed to proactively monitor its own activities – had it done so it would have discovered the vulnerabilities.

The new Information Commissioner, stated “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” and that “in spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting”. The contravention was of a kind likely to cause substantial damage and substantial distress to its customers and TalkTalk should have identified the risks and taken appropriate action to prevent the data from being hacked.

The Information Commissioner further stated that “…cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.”  This is a stark statement of the position of the new Information Commissioner and demonstrates why now, more than ever, boards and top-level executives must proactively address and be seen to be addressing cyber-security issues.

A separate criminal investigation into this matter is ongoing.  We will keep you posted of any development.

Tales from the (Quantum) Crypt

The dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satellite,” a project the Chinese government hopes will enable it to build a communication system incapable of being hacked. Such a system, if perfected, would allow for encrypted communications between any two devices with absolute certainty that the encryption could not be broken, and with a built-in mechanism for alerting the sender/receiver if someone tried. Continue Reading

German DPA Plans to Challenge Privacy Shield

The Privacy Shield is now live, having gone into effect on August 1. Perhaps emboldened by the Article 29 Working Party’s late July announcement that European regulators will not challenge the program’s adequacy for at least a year (after the first annual review of the program in May 2017), companies have begun self-certifying in order to legalize their transfers of personal data from the EU to the US. However, as we reported previously, the Privacy Shield nevertheless faces a somewhat precarious future, as it is likely that it will face multiple legal challenges.

Continue Reading

An Overview of the New General Data Protection Regulation

The European Parliament has approved the reformed General Data Protection Regulation (the “GDPR”). Given this is a Regulation (rather than a Directive), this legislation will apply automatically in every Member State (without need for additional domestic legislation) when it comes into force on May 25 2018.

Many of the requirements are similar to those set out in Directive 95/46/EC (the “EU Directive”), however there are certain key differences.  The table below summarises the key changes.

Continue Reading

FTC: LabMD Tests Positive for “Unfair” Security Practices

LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the action under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” An act that causes or is likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition may be deemed unfair.

Continue Reading

Privacy Shield Adopted, But Uncertainty Remains

Yesterday, the European Commission adopted the EU-US Privacy Shield, a framework designed to replace the invalidated Safe Harbor program. In theory, the Privacy Shield offers its adherents a relatively simple, straightforward way to legally transfer personal data from the EU to the US.  In reality, however, the Privacy Shield is likely to face legal challenges that may hinder its ability to serve as a reliable means of legal transfer, at least for the immediate future.   Continue Reading

Privacy Pros Invited to Confront GDPR Application

Proskauer Counsel Cécile Martin was recently interviewed by DataGuidance’s “Privacy This Week” covering new guidance issued by the French data protection authority (‘CNIL’) on June 15, 2016. The guidance highlights the main changes in relation to the General Data Protection Regulation (‘GDPR’). On June 16, 2016, CNIL launched an online consultation regarding the interpretation and implementation of the GDPR in four areas: data protection officers (‘DPOs’), the right to data portability, Data Protection Impact Assessments (‘DPIAs’) and certification (‘the Consultation’).