SaaS customers and SaaS Suppliers should be aware that in October 2016 the Information Commissioner’s Office (ICO) issued a £400,000 fine against TalkTalk for serious breaches of the Data Protection Act 1998 (DPA). The fine was issued in relation to the hacking of personal data stored in a database that was accessible via the Internet.
TalkTalk Case
In 2015, a cyber-attack exploited vulnerabilities in some web pages leading to the extraction of personal data from an underlying database of customer data operated by TalkTalk. The data accessed included names, addresses, email addresses, telephone numbers and dates of birth of more than 150,000 customers and the bank account numbers and sort codes of more than 15,000 customers.
Breach of Data Protection Law
The ICO determined that TalkTalk had breached the 7th principle of the DPA as they had not taken appropriate technical and organisational measures against authorised or unlawful processing of personal data. Nor had TalkTalk taken appropriate technical and organisational measures against accidental loss or destruction or damage to personal data.
The ICO came to this conclusion on the basis that:
- There were minimal levels of protection of personal data in place;
- Use of out of date software had allowed the database to be accessed using a basic cyber-attack; and
- A well known patch designed to fix this issue had been available for 3 years but had not been installed by TalkTalk.
Fine
£400,000 is the highest fine that the ICO has issued to date. Such a large fine was issued because:
- The personal data included names, address, email addresses and bank account information;
- Such data was likely to cause the individuals concerned substantial distress and would expose them to an increased risk of blagging, phishing and fraud; and
- The breach was not a one-off event (there had been previous cyber-attacks); and
- The breach was not attributable to human error.
How to Avoid Similar Breaches
SaaS customers and SaaS suppliers should reduce the risk of having a similar fine imposed on them for breaches of the DPA by taking the following basic precautions:
- Using current patches;
- Checking and monitoring for potential vulnerabilities in webpages and databases;
- Regularly reviewing security measures;
- Staying informed about attacks to other businesses; and
- Identifying, responding to and acting appropriately to actual and attempted cyber attacks.
Also, SaaS customers and SaaS suppliers should bear in mind that from the 25th of May 2018 the ICO will have increased powers to issue much higher fines under the General Data Protection Regulation (GDPR) of 4% of a group’s total worldwide turnover or €20 million, whichever is higher.
Help
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here
______________________________________________________
Other related articles:
- SaaS Agreements – Liability – Covering the Risks with Insurance
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Data Protection – Data Processing Agreement
- SaaS Agreements – Data Protection – Amending EU Model Clauses
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Privacy Shield Approved
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Legal Implications of a Brexit
- SaaS Agreements – Data Protection – Brexit and the GDPR
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Russian Data Centres