ICO issues TalkTalk monetary penalty notice for £100,000
On 7 August 2017, the Information Commissioner’s Office fined TalkTalk £100,000 after an investigation found that it had failed to take adequate security measures to protect customer data from unauthorised access via web-based portal.
In 2004, TalkTalk provided Wipro Limited (Wipro), a multinational IT services company that resolved network issues on Talk Talk’s behalf, with access to a portal that contained the personal information of between 25,000 and 50,000 customers. According to the investigation, in 2014, certain employees of Wipro used the portal to gain unauthorised access to customer data which included names, addresses and phone numbers.
The ICO’s investigation found that TalkTalk had failed to take due regard to:
- The state of technological development
- The cost of implementing any measures
- The nature of the customer data, and
- The harm that might result from its misuse.
TalkTalk had therefore contravened the seventh principle of the DPA, by not ensuring that appropriate technical and organisational measures had been taken to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The ICO found that TalkTalk had:
- Provided 40 Wipro employees with access to the customer data without any controls in place to either limit access to the customers themselves or to just the fields that were actually required for Ofcom reporting
- Enabled Wipro employees to enable access to the portal from any internet-enabled device rather than just to devices linked to Wipro, and
- Enabled Wipro employees to make “wildcard” searches, view large numbers of customer records at any one time and to bulk download data (although there was no evidence that this had occurred). There was no adequate justification for those capabilities.
The ICO considered that TalkTalk’s contravention comprised of a number of serious and material inadequacies and that those inadequacies were systematic (from 2004 until 2014). The ICO further said that TalkTalk ought to have been aware that a contravention would have occurred; that it had failed to prevent this and that any such contravention was likely to cause substantial damage and distress. In the light of this and the importance of deterring future contraventions by TalkTalk and others, the ICO issued the monetary penalty under s55A of the DPA.
Why is this important?It’s likely that data protection compliance was not at the front of mind of those negotiating the original Wipro deal. After all, this was back in 2004. But the fine highlights just how alive businesses (and lawyers) need to be to data regulation when outsourcing services to third parties. It goes without saying that the stakes get much higher when the General Data Protection Regulation (GDPR) comes into force, especially with the increased fining powers for regulators.