Data Protection – September 2018Print publication
Equifax receives maximum fine for security breach; other cyber security news; latest from the ICO; update on ePrivacy Regulation; and more
Equifax receives maximum fine for security breach…
The UK arm of credit reference agency Equifax has been fined £500,000 by the Information Commissioner’s Office (ICO) for failing to protect the personal information of up to 15 million UK customers during a cyber attack in 2017. The ICO investigation found that the company had failed to take appropriate steps to ensure that its American parent, which was processing the data on its behalf, was protecting the information. There were significant problems with data retention, IT system patching and audit procedures.
Due to timing, the investigation was carried out under the Data Protection Act 1998, with £500,000 being the maximum financial penalty. The maximum penalty under the new General Data Protection Regulation (GDPR) is €20 million or 4% of global turnover. The Information Commissioner said that the company had “received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law…Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine”.
…while Facebook announces security breach affecting almost 50 million users
On 28 September 2018, Facebook announced that a security issue had been discovered three days earlier affecting almost 50 million of its user accounts. Cyber attackers exploited a vulnerability in Facebook’s code which impacted the “View As” feature. The company says that it has yet to determine whether the affected accounts were misused or whether any information was accessed. According to a brief statement, the ICO is making enquiries to establish the scale of the breach and to establish if any UK citizens have been affected by it.
Earlier in the month, British Airways announced that it was investigating the theft of customer data, including personal and financial details, from its website and mobile app. It has also been widely reported that a Conservative Party conference app contained a security flaw allowing access to users’ personal data, including mobile phone numbers. The ICO is making enquiries in relation to both incidents.
On the subject of cyber security…
In a recent speech to the CBI Cyber Security: Business Insight Conference, the ICO Deputy Commissioner (Operations) said that the ICO, as a regulator, “does not seek perfection even if to some it may feel like that. We seek evidence of senior management and board level insight and accountability. We seek evidence of systems that provide a robust level of protection and privacy. The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have many audits, advisory visits and guidance sessions. That is the real norm of the work we do”. He said that since GDPR came into force on 25 May 2018, the ICO has been receiving around 500 calls a week to its breach reporting line. Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. The key trends which the ICO is finding with its reporting system are: organisations struggling with the concept of 72 hours as defined under GDPR; incomplete reporting; and some over-reporting by data controllers.
The National Cyber Security Centre has released five core questions to help Britain’s biggest boards understand their cyber risk. See the press release for a link through to the toolkit and other materials.
Europol published its latest report assessing the emerging threats and key developments in cybercrime over the past year. See the press release which looks at some of the main trends, including ransomware, malware, payment card fraud and targeting cryptocurrencies.
The Network and Information Systems Regulations 2018 (NIS Regulations) came into force on 10 May 2018. They were made to implement the EU Directive on Security of Network and Information Systems (NIS Directive). Businesses identified as “operators of essential services” will be required to take appropriate and proportionate security measures to manage the risks to their systems and to notify serious incidents to the relevant authority. Key digital service providers will also have to comply with security and incident notification requirements. Just after the previous edition of the Regulatory round-up went to press, the government published its response following a targeted consultation on how the NIS Directive will apply to digital service providers in the UK. It proposes to use the outcome of the consultation to assist the ICO in clarifying its guidance to digital service providers. It says that it will look to clarify the following key areas: how digital service providers can more easily identify whether they are within scope of the NIS Regulations; how cloud services in particular are defined; and how the ICO’s cost recovery process will operate.
Latest from the ICO
The ICO has sent notices of intent to fine 34 organisations unless they pay the new data protection fee. They have 21 days to respond and face a maximum fine of £4,350. See the ICO’s blog post and our earlier briefing for more details about the fee. The ICO’s fee webpage can be found here.
The Information Commissioner is reminding organisations to be transparent with people’s personal information, after an ICO survey revealed most UK citizens still do not trust organisations with their data.
The ICO is consulting until 12 October 2018 on creating a regulatory sandbox, following on from the publication of its Technology Strategy for 2018-2021. The sandbox “will be a safe space where organisations are supported to develop innovative products and services using personal data in innovative ways”.
The European Data Protection Board (EDPB) met for its third plenary session on 25 and 26 September 2018. In a blog post about the meeting, the ICO referred, among other things, to the UK’s upcoming departure from the EU: “As we draw closer to a new stage in the relations between the EU and the UK, it is worth bearing in mind that data protection concerns do not begin and end at national borders. Interactions between the ICO and EU supervisory authorities is, and will continue to be, essential…The ICO will maintain the already high standards of data protection in the UK after the UK leaves the EU based on the common data protection framework it shares with the rest of the EDPB”.
In recent ICO enforcement action, a marketing agency was fined £60,000 for sending 1.42 million emails without consent, another firm was fined £150,000 for making over 63,000 calls to people who were registered with the Telephone Preference Service, and a former nurse was prosecuted after she accessed patient records without authorisation, multiple times over a two-year period.
Update on ePrivacy Regulation
A new ePrivacy Regulation, providing special privacy rules for e-communications, was intended to apply at the same time as GDPR, but progress has stalled in Europe. Discussions are ongoing within the Council of the EU and negotiations with the European Parliament are unlikely to start until after elections held in May 2019. On 20 September 2018, ahead of a meeting of the Working Party on Telecommunications and Information Society, the Austrian presidency of the Council of the EU published a revised text of the ePrivacy proposal, seeking to address some of the concerns raised during discussions. See this European Parliament webpage for background and a summary of the current issues.
Other recent news
A new provision inserted into the Privacy and Electronic Communications Regulations prohibits the making of unsolicited calls for the purposes of direct marketing in relation to claims management services, except where a subscriber has previously notified the caller that, for the time being, they consent to such calls being made by or at the instigation of the caller. The change came into effect on 8 September 2018.
On 5 September 2018, the government published an initial code of conduct for the use of digital technology in health and care. Among other things, it clarifies what the government expects from suppliers of data-driven technologies, and how it will support and encourage innovators in health and care.
On 14 September 2018, the government updated its data protection toolkit for schools, first published in April 2018. The guidance is intended to “help schools develop policies and processes for data management, from collecting and handling the data through to the ability to respond quickly and appropriately to data breaches”.
And finally, the European Court of Human Rights ruled that aspects of the UK’s surveillance regimes under the Regulation of Investigatory Powers Act 2000 (RIPA) did not comply with Articles 8 and 10 of the European Convention on Human Rights (right to respect for private and family life and right to freedom of expression) . RIPA has been mostly replaced by the controversial Investigatory Powers Act 2016 (IPA), dubbed the ‘Snooper’s Charter’. The EU may examine the UK’s data protection regime relating to national security legislation, including the powers conferred by the IPA, when it decides on the question of adequacy in relation to data flows post-Brexit. Earlier this year, the English High Court ruled that Part 4 of the IPA is incompatible with fundamental rights in EU law. The government has until 1 November 2018 to rewrite that section of the legislation, which deals with the retention of communications data.
 Case of Big Brother Watch v The United Kingdom (Applications nos. 58170/13, 62322/14 and 24960/15),  ECHR 722