Yet another company has recently been issued a substantial monetary penalty by the Information Commissioners Office (the “ICO”) for failing to ensure sufficient security of its personal data. This comes at a time where cyber attacks are on the rise and becoming more sophisticated. With the GDPR due to come into force in May next year, Data Controllers and Processors need to ensure that they are appropriately securing their personal data more than ever.
The ICO have reported that Boomerang Video Limited (“the Company”), a gaming rental website, had engaged a third party Processor to develop its website in 2005. The Company were unaware that the login page to the website contained a coding error which was eventually exploited by a hacker in 2014. The hacker was able to gain entry into a section of the website by entering a password, which was simply the name of the Company. By using this password together with malware, the hacker downloaded files containing 26,331 cardholder details which included, names, addresses, account numbers, expiry dates and sort codes. Although some areas of the website were encrypted, the hacker was easily able to locate the decryption key.
The seventh data protection principle, at Part I of Schedule 1 of the Data Protection Act 1998 (the “DPA”) states:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The ICO found that the Company did not have appropriate technical measures in place and in particular they had failed to:
(a) carry out regular penetration testing on its website that should have detected the error;
(b) ensure that the password for the account was sufficiently complex to be resistant to a brute-force attack; and
(c) keep the decryption key secure and prevent it being accessed by the hacker.
The ICO was satisfied that the contravention was of a kind likely to cause substantial damage or substantial distress meaning the Commissioner was able to serve a monetary penalty notice (pursuant to Section 55A(1) of the DPA). Although the Company had some mitigating factors, such as self- reporting the incident to the Commissioner and taking substantial remedial action, they were issued a monetary penalty of £60,000.
An aggravating feature was the high volume of Data Subjects affected and the financial information concerned, which Data Subjects would have expected to have an adequate level of protection. The ICO considered that the Company ought to have reasonably known that there was a risk that the contravention would occur and that this would be likely to cause substantial damage and distress to Data Subjects.
The GDPR enhances the requirements of the Data Controller (and the Data Processor) in respect of data security. In the GDPR principles it states that personal data shall be “processed in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. This is not too dissimilar to the DPA, however the GDPR goes further to set out examples of measures to ensure a level of security, appropriate to the risk (Article 32):
(a) “the pseudonymisation and encryption of personal data;
(b) the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical technical incident; and
(d) a process for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing…”
In summary, the GDPR demands a privacy by design principle where the processing of personal data should be considered as part of the core of the business. Data Controllers and Data Processors (who become liable under the GDPR) must have adequate procedures and policies in place to avoid sanction, which under the GDPR could be up to 20 million euros or 4% of annual global turnover.