In GDPR - Fines 7 Dec 2017 I outlined the Information Commissioner's existing powers under s.55A of the Data Protection Act 1998 and The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 to impose monetary penalties on data controllers who contravene s.4 (4) of the Act. As I noted in that article, the maximum penalty that the Commissioner can impose is limited to £500,000 by reg 2 of those Regulations.
By a monetary penalty notice dated 8 Jan 2018 the Information Commissioner fined the Carphone Warehouse £400,000 (80% of the maximum under reg 2) for failing to prevent unauthorized access to the personal data of over 3 million of its customers and some 1,000 of its employees.
Paragraph 7 of Sched. 1 of the Act provides:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."Paragraphs 9 to 12 of the schedule add:
"The seventh principleBased on evidence that had been submitted by the Carphone Warehouse which included reports by forensic specialists, the Commissioner found at paragraph 22 that the data controller had contravened the above data protection principle in 11 respects ranging from the use of out of date software to inadequate vulnerability scanning. Having regard to the state of technological development, the cost of implementing any measures, the nature of the relevant personal data and the harm that might ensue from its misuse, the Commissioner's held was that there were multiple inadequacies in Carphone Warehouse's technical and organisational measures for ensuring the security of personal data on the System.
9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
(b) the nature of the data to be protected.
11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—
(b) take reasonable steps to ensure compliance with those measures.
(a) the processing is carried out under a contract—
(i) which is made or evidenced in writing, and(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle."
(ii) under which the data processor is to act only on instructions from the data controller, and
The Commissioner concluded that the requirements of s.55A (1) had been met. After considering both aggravating and mitigating factors she fixed the penalty at £400,000 to be paid by the 8 Feb 2018. She offered the data controller a 20% discount if it pays the fine in full by 7 Feb 2018 and does not appeal. If it exercises its right of appeal it will forego the £80,000 discount. That leaves a very difficult decision for The Carphone Warehouse and its lawyers. If the company accepts the Commissioner's finding it risks claims for compensation in the civil courts by any one or more of its 3 million customers and 1,000 employees. On the other hand it will not be easy to appeal and the costs could well exceed £320,000.
Should anyone wish to discuss this note or data protection generally, he or she should call me on 020 7404 5252 during normal business hours or send me a message through my contact form.