By Legal Futures’ Associates Willis Towers Watson
On 25 May 2018 the General Data Protection Regulation (GDPR) was introduced in the UK amid widespread concerns over the significant fining powers that would now be available to the Information Commissioner’s Office (ICO).
In July 2019, the ICO announced its intention to fine British Airways and Marriot International £183 million and £99 million respectively. Whilst we await full details of the investigation and the official details of the penalty notice, the ICO has published details of two smaller but significant fines against DSG Retail Limited (DSG) and Doorstep Dispensaree Ltd (Doorstep).
Although both cases were considered under pre-GDPR legislation, businesses should take note of the ICO’s approach as- due to both cases differing significantly, in terms of business size and the nature of the breaches- this provides good opportunity to review a range of lessons learned.
The breaches and fines
DSG includes the Dixons group, and in January 2020 the group was fined £500,000 after a cyber-attack, which affected potentially 14 million people.
Doorstep, a much smaller business, is a pharmacy that supplies medicines to care homes in London. In December 2019, they were fined £275,000 after 47 unlocked crates, two disposal bags and one cardboard box containing personal data was discovered in a courtyard.
The full details can be viewed on the ICO’s website.
What lessons can we learn?
- Do not ignore IT reports: The ICO investigation of DSG included reviewing past IT reports that DSG had commissioned. These reports highlighted concerns over point of sale terminal security and laptop build. In conclusion, these reports stated that such devices were ‘susceptible to critical vulnerabilities’ and therefore the ‘integrity of these devices should not be relied upon.’ The findings were taken into consideration by the ICO when considering these breaches.
- Pay attention to industry wide standards: In considering DSG’s compliance, the ICO considered the industry wide payment card standard (PCI-DSS) helpful, and they considered that they had fallen short in this respect.
- The ICO looks beyond the breach itself: It remains unclear how the attacker gained access to the DSG systems. DSG submitted that many of the areas looked at by the ICO were not material to the breach. However, the ICO looked across all areas of data protection compliance in forming its view on the cultural approach within DSG to safe guarding client data; ‘even if the remedying of the deficiencies discussed in this Notice would not have precluded this particular attack, they nonetheless exposed the contents of the system to serious risks’.
- Take responsibility: The findings from Doorstep suggest a lack of co-operation throughout the investigations process with the ICO. These findings further highlight the down-playing of the seriousness of the contraventions and an attempt to pass off some responsibility to their licensed waste disposal company.
- Ensure policies and procedures are up to date: Doorstep supplied policies and procedures to the ICO that were out of date, vague, and relied on templates, yet even these they were not in compliance with. This perhaps suggests that Doorstep were not taking data protection matters seriously.
What will the ICO consider?
Both findings provide indications on areas the ICO will consider when deciding which action to take.
- Size of the business: The ICO felt that the general public viewed DSG as a large national retailer who should ‘lead by example’. Larger, established businesses seem likely to be more heavily hit by the ICO and need to ensure that they are an example to their profession.
- Duration and detection of the breach: The DSG breach went unnoticed for nine months before being made aware of the matter through an external source, however the ICO did consider it a mitigation that they self-reported the matter to them. In the case of Doorstep, the matter was reported to the ICO by their regulator; the Medicines and Healthcare products Regulatory Agency (MHRA).
- How many customers impacted: The DSG breach impacted an estimated 14 million customers.
- Impact on customers: With the Doorstep decision, the ICO considered the sensitivity of the data and felt that it fell into special category data.
Similarly, the data which was breached in DSG was of a type that risked leading to identity theft and fraud, and so the ICO considered the distress this was likely to cause customers. The DSG data was linked to 85 fraudulent payments at supermarkets which resulted in evidence of the data being sold on the Dark Web.
The ICO reviewed the complaints received by them and DSG, which were cited as evidence of the distressful impact on customers.
- Actions taken: When considering the size of the fine, the ICO will consider the actions taken since the breach was identified. In the case of Doorstep, there were very few actions taken since the MHRA effectively resolved the issue of the data siting in the courtyard.
DSG contacted all customers who were possibly affected, undertook an advertising campaign, established a specific call centre, offered credit monitoring to customers and worked with their acquiring bank to mitigate potential customer exposure to financial fraud.
Whilst the actions taken by DSG may seem significant, the ICO commented that they gave these ‘limited credit’ as they considered the actions to be an ‘industry standard approach’. They also questioned the effectiveness of the credit monitoring given only 25% of customers took up this offer.
Clearly the actions taken after the identification of the breach are critical for not only assisting effected clients and the reputation of the business but are also material to the enforcement action and fine that the ICO decides upon.
- Past breaches: The ICO considered and commented on the past action taken against another firm within the DSG group when deciding upon the fine, and that the breaches identified were like those previously identified. Evidently, the ICO expects organisations to learn from past failings and short-comings.
Deciding on the fines
In imposing a penalty, the ICO makes it clear it is looking for a fine that is ‘effective, proportionate and dissuasive.’ In this respect the ICO does also consider the financial standing of the company as evidenced in filings at Companies House.
In the case of DSG, it also makes it abundantly clear that the fine would have been significantly higher had the breaches been considered under current legislation, instead the maximum fine of £500,000 was imposed as per the legislation in place at the time.