The Information Commissioner’s Office (“ICO”) has issued a record monetary penalty of £400,000 against telecommunications group TalkTalk under the Data Protection Act 1998.
The fine is for serious contraventions of TalkTalk’s security obligations as a data controller under the Act which occurred in 2016 and which were well publicised.
The decision is an indication that the ICO means business when it comes to enforcement particularly because the number of records compromised was not that high compared to some other breaches.
TalkTalk’s failing centered on its reliance on an outdated version of the MySQL platform which left it exposed to cyber-attack. TalkTalk had failed to install a patch that had been available for over three years.
This has to be a wakeup call to data controllers to made sure their systems and anti-virus software is up to data and ensure that you identify and respond appropriately to any attempted hack that may take place. TalkTalk’s fine was 80% of the current maximum but when the General Data Protection Regulations comes into force in May 2018 businesses may be fined the greater of 4% of global turnover of Euro 20,000,000.
If you haven’t audited your data protection compliance for a while, now is the time to review and put in place the best process and insurances to guard against these risks.
For more information on how Briffa can help you on data protection issues contact us or arrange for a meeting +44 (0)20 7288 6003.