The timing of data breaches makes a huge difference. Want to see an example? Take a look at the most recent fine that the Information Commissioner’s Office ("ICO") has hit out at the entity that controls Currys PC World: DSG Retail Limited (“DSG”). With data breaches occurring prior to the General Data Protection Regulation ("GDPR"), DSG was fortunate enough to only receive a fine of £500,000 on 9 January 2020. This is because its poor data protection program that led to the data breaches were investigated under the Data Protection Act 1998. Had the data breaches occurred for one more month, it would have been a very different situation and certainly one which would have resulted in a much larger fine (as confirmed by the ICO).
What exactly happened? DSG was troubled by serious cyber-breaches relating to its point of sale computer system which affected at least 14 million of its customers. The cyber breaches occurred over a shocking 9-month period and was down to the fact that a cyber attacker installed malware on 5,390 point of sale terminals, where in-store payments are taken, at DSG’s stores (such as Currys PC World and Dixons Travel). It is understood that 5.6 million payment card records that were used in transactions were accessed and as a result, the the cyber attacker was able to see full names, postcodes, email addresses and information related to failed credit checks. The ICO criticised DSG for its carelessness in relation to its security protocols and its failure to protect customers' data, which subsequently put its customers at risk of financial and identity theft.
At Aria Grace Law, we’ve taken a look at the fine and have noted lessons that organisations can learn from this enforcement action:
1. Organisations should be alert about the personal data they process and be able to demonstrate compliance with the GDPR to their customers. In DSG’s situation, the ICO was contacted 158 times with complaints between June 2018 to November 2018. Whilst DSG was not investigated under the GDPR, the mere existence of this legislation resulted in data subjects becoming more aware of their rights and how to complain when their rights were not protected. 2. Organisations are urged to ensure that when building a data protection program that they include and consider all of their entities and ensure that best practices are applied across the board. We can see that this did not happen in the case of DSG as another entity within its group (i.e. Carphone Warehouse) was fined £400,000 in January 2018 for similar security vulnerabilities. This shows that the group as a whole (a) has poor security in place and that there was not a holistic and robust approach to the GDPR across all entities and; (b) has a real lack of care because no lessons were learnt from the Carphone Warehouse fine.
3. Organisations often naively believe that personal data only includes the full name of a data subject; however, data privacy law applies to any personal data that directly or indirectly identifies an individual. In DSG situation, it claimed that the volume of its data breaches was not as high as the ICO had found. It stated that for some of its customers, it was only their primary account number and expiry number that was stolen – and not the cardholder’s name. The ICO rejected this argument and found that the payment account number is unique to each cardholder and can be traced back to them and therefore DSG's breach was much higher than it believed.
4. Organisations should ensure that when they conduct monitoring and testing (whether internally or with an external adviser), that any issues that are identified are rectified in a timely manner. In DSG’s situation, it had instructed an external adviser in 2017 to review its point of sale terminals and the external adviser found that they were “susceptible to critical vulnerabilities”. The external adviser found that the point of sale software that DSG was using was significantly out of date (and in the case of Carphone Warehouse it was eight years out of date). For a company that is in the business of selling electronic products, the fact that DSG did not rectify it is highly concerning for its customers.
5. The data protection principle that was breached by DSG concerned “appropriate technical and organisational measures”. This principle is one that organisations find difficult to understand because it is so broad and includes the “technical” and the “organisational” aspect. From our experience, “technical measures” encapsulates putting in place controls that are relevant to the specific industry and technology being used. In DSG’s situation, the controls that should have been put in place were adequate software patching, point to point encryption, firewalls and network segregation and routine security testing as a combination of these controls could have prevented or at the very least reduced the level of data breach risks that the company faced. We believe that “organisational measures” can be a variety of elements including putting in place a data protection officer, creating a data protection committee and rolling-out data protection policies and procedures that concern how data is processed and how to manage data breaches.
Aria Grace Law We advise large companies and legal service providers on data protection matters. We are experienced data privacy experts and can assist your organisation with reviewing and enhancing your data protection program as well as with engaging with regulators such as the ICO. If you would like to find out more or instruct us to help you, please contact us on compliance@aria-grace.com. Privacy Update by Michael Mulholland and Puja Modha, Partners at Aria Grace Law 27.01.2020