Yahoo! fined for failure to implement intra-group processing agreement
With the arrival of the GDPR, the focus on third party data processing agreements and ensuring they have the relevant controls in place has never been more intense. But how much do businesses need to focus on their intra-group processing agreements?
On 22 September 2016 Yahoo! Inc. publicly announced for the first time that the personal data of 500 million user accounts had been removed from its US servers by hackers two years earlier in November 2014. The data included user's names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. During this period Yahoo! UK Services Limited (Yahoo! UK) was the data controller for over 500,000 UK account users, whose personal data was held on the servers of Yahoo! Inc. as the data processor. The data breach has become notorious, both because of the extent of the breach and the two-year delay in reporting the attack.
The data breach was initially investigated by the US Securities and Exchange Commission who imposed a $35million (£26million) fine on Yahoo! A separate investigation was then carried out by the ICO which focused specifically on Yahoo! UK's liability for the data breaches of the UK accounts. The fact that the breach occurred under the systems of Yahoo! Inc. as data processor did not extinguish Yahoo! UK's liability as it was under an obligation as data controller to ensure that Yahoo! Inc. took appropriate measures to protect its users' personal data.
The ICO's investigation found that:
- Yahoo! UK failed to take appropriate technical and organisational measures to protect the data of its customers against exfiltration by unauthorised persons;
- Yahoo! UK failed to take appropriate measures to ensure that Yahoo! Inc. as its data processor complied with the appropriate data protection standards. Such measures include entering into a written contract or providing Yahoo! Inc. with instructions as to the necessary steps that must be taken to protect personal data or ensuring that such steps were adhered to; and
- the inadequacies found had been in place for a long period of time without being discovered or addressed
In considering the financial penalty to be imposed, the ICO considered Yahoo! UK's shortcomings, including the fact that its technical and organisational safeguarding systems were materially inadequate to protect against data breaches, particularly given its resources and experience and also that the breach was undiscovered and unaddressed for a long period of time. The ICO also considered factors in Yahoo! UK's favour to mitigate the penalty such as its extensive steps to notify affected users and to inform them how they could protect their accounts. In the circumstances the ICO was satisfied that a fine of £250,000 was reasonable and proportionate under the DPA 1988.
Why is this important?
As the Yahoo! UK data breach occurred in 2014, the DPA1998 was applied as the GDPR does not apply retroactively. However, if the breach had occurred under the GDPR, Yahoo! UK would have found itself in a significantly different position.
The data breach was discovered in July 2016, 21 months after the breach occurred and even upon discovery Yahoo! UK waited a further 2 months before reporting the breach, on the commercial basis that Yahoo! UK was in acquisition negotiations with Verizon at the time. Under GDPR, such a delay would not be possible, regardless of the commercial impacts on the company. Amongst other provisions, Yahoo! UK would be in violation of the GDPR in that it failed to implement systems to identify data breaches in a timely manner and also that it failed to notify users of the breach within the requisite 72 hour period.
Despite the sanctions imposed on Yahoo! UK, the extent of the damage is significantly lower than it could have been under the GDPR. Under DPA1998 the maximum penalty for breach was £500,000, however, the GDPR allows for fines up to the higher of EUR €20 million or 4% of annual global group turnover. In 2015, Yahoo! global group revenue was recorded at $4.9bn. Taking a similar figure under the GDPR could have exposed Yahoo! UK to a fine of up to $198m.
Any practical tips?
The key message from this case is the need to ensure that data processing agreements are in place between group companies, and not just third party external processors. Often those intra-group agreements are overlooked. So while companies continue to invest substantial time and cost into updating their third party processor agreements, they must not overlook the dangers of failing to tend to their own backyard – ie their own intra-group data transfers. Clearly this is even more crucial in the post-GDPR world with its potentially eye-watering levels of fines.