Data breaches by rogue employees – employers still liable: Vicarious liability applies
John Warchus | 31.01.2019
07.07.2017 Dorothy Agnew
In what has become a stark reminder to all companies to take appropriate measures to protect customer data, TalkTalk has been fined a record £400,000 by the ICO for cyber security failings which Information Commissioner Elizabeth Denham has said, “allowed hackers to penetrate TalkTalk’s systems with ease”.
In particular, TalkTalk was held to be in breach of the seventh principle of the Data Protection Act 1998 (DPA). The seventh principle requires companies to take, ‘appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
The DPA contains provisions as to the level of security companies should implement in regards to the protection of data.
“The measures must ensure a level of security appropriate to – (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected”.
Between the 15th and 21st of October 2015, hackers were able to bypass TalkTalk’s security systems and access the personal data of 156,959 customers. They were able to gain access to customer names, addresses, dates of birth, phone numbers and email addresses. And for 15,656 customers, the hackers were able to access bank account details and sort codes.
As a result of this breach of security TalkTalk revealed in May that the hack had cost the company £42m as well as 101,000 subscribers who left the company following the attack coming to light.
For TalkTalk this was a lesson in due diligence, as the facts of the case reveal a series of oversights by TalkTalk that, should they have been rectified, would have saved the company from all the subsequent grief.
The first oversight occurred when TalkTalk purchased Tiscali’s UK operations in 2009. TalkTalk failed to identify that the system employed by Tiscali was outdated and vulnerable to cyber-attacks.
The second oversight was TalkTalk’s failure to take a proactive stance on monitoring activity on its database to discover vulnerabilities.
The third oversight, which would have been remedied should TalkTalk have taken appropriate action concerning the first two issues, was that Tiscali’s infrastructure included outdated database software which found sensitive information available via the internet. This made it particularly vulnerable to cyber-attacks, in particular an ‘SQL injection’, which was used to extract the aforementioned personal data.
In a ‘salt in the wounds’ moment, not only was the vulnerability exploited by the hackers identified in 2012, a fix was also developed and available in 2012.
A fourth and final oversight was TalkTalk’s failure to adapt and update its systems after two previous cyber-attacks; one successful SQL injection on the 17th July 2015 and another attack between the 2nd and 3rd September 2015.
As a result of these oversights the hacks exposed well over 100,000 customers’ personal data and led to what has been the ICO’s biggest fine to date.
Lessons to be learnt
The overriding lesson to be learnt from this case was summed up by Ms. Denham, “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers”
In its report the ICO said of the record breaking fine, that the, “underlying objective… is to promote compliance with the DPA and… to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal data”.
If anything should be taken from this case it is the need to be aware of, understand and take seriously the DPA. In this case one should not interpret the vagueness of ‘appropriate… measures’ referred to within the aforementioned seventh principle, as an excuse to apply the bare minimum cyber-security, but as a constituent element to be taken very seriously, lest one wishes to find themselves in a similar position as TalkTalk.
However, companies should also look forward to and be prepared for changes made within the EU’s General Data Protection Regulation (GDPR), scheduled to become effective on May 25th 2018.
Besides from laying out new legislation to be aware of and comply with, one should take particular note to the punishment afforded to breaches of the GDPR. Article 83 section 5 grants the ability to apply fines which dwarf the current maximum ICO fines of £500,000, by increasing the maximum fine to €20m or, in particularly serious cases, 4% of global turnover.
In light of this, companies which process large amounts of personal data would do well to ensure all their systems are up to date and comply with the GDPR sooner, rather than later. And if companies are to learn from TalkTalk’s mistakes it would be wise to not only ensure IT systems are up to date, but also staff are familiar with and have a healthy respect of the new legislation.
Finally, it is worth noting that while Britain’s decision to leave the EU earlier this year may mean that, once Britain has formally left the EU, the GDPR may not apply to companies storing domestic data, it will still apply to those companies storing data from the EU. It is also important to note that the triggering of article 50 in March this year marks the start of two years of negotiations over a deal for Britain’s exit from the EU. This means Britain will be fully subject to the GDPR when it comes into effect.
 TalkTalk gets record £400,000 fine for failing to prevent October 2015 attack- 5th October 2016 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/
 Data Protection Act 1998 https://ico.org.uk/media/action-weve-taken/mpns/1625131/mpn-talk-talk-group-plc.pdf
 TalkTalk fined £400,000 for theft of customer details- 5th October 2016 http://www.bbc.co.uk/news/business-37565367
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
John Warchus | 31.01.2019
Thomas Clark | 17.10.2018
Dorothy Agnew | 16.10.2018