A heavy read from the Europeans, entitled "The future EU-UK relationship: options in the field of the
protection of personal data for general processing activities and for processing for law enforcement purposes.
Read more here.
Just as PPI ambulance chasing comes to a close, solicitors (such as
are now offering "no-win no-fee" legal action against companies that lose personal data. The
is certainly in their sights.
GDPR considerably increased potential fines, but these legal cases could cost companies a lot more.
It will be interesting to see how damages can be quantified.
we're also keeping a close eye on the
WM Morrison data breach case from 2014. In December 2018, a High Court judgement held the company
"vicariously liable" and suggested they may need to compensate 100,000 employees affected after their
senior internal auditor (Andrew Skelton) leaked payroll details to the press. The lawfirm
JMW is seeking further claimants.
This webinar is aimed at Data Controllers and will give advice and guidance on how and when to report security breaches
to the ICO. They will also share our experience of the first few weeks of breach reporting under the GDPR,
and respond to some frequently asked questions.
Sign up for the webinar here.
Child Sexual Abuse (IICSA) £200k fine after sending a bulk email that identified possible victims of non-recent child sexual abuse.
On 27 February 2017, an IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing.
After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.
This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.
Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.
Read more here.
The European Commission has deemed that Japan's level of protection
for personal data is comparable with the European Union (GDPR).
As such, after a brief interlude for due process between Europe and Japan, personal data will be able to flow freely between
EEA and Japan without further safeguards (such as EU Model Clauses) or authorisations.
Let's hope post-Brexit UK manages the same feat next year!
European Commission FAQs here.
ICO are considering the maximum DPA 1998 fine (£500k) for Facebook's involvement with Cambridge Analytica.
Although this was the DPA 1998 maximum, many have commented on the limited impact this would have to the global giant.
Elsewhere, it's suggested that Cambridge Analytica could have
paid $1m to $1.5m for the data, making the fine look like an acceptable cost of doing business.
Under GDPR/DPA 2018, the maximum fine would be closer to £0.5b (4% of global turnover),
which may gain more attention...
"A wallet used to upgrade some smart contracts was compromised. As a result,
the attackers made off with $12.5 million in Ether, $1 million in Pundi X’s NPXS token and $10 million in Bancor’s BNT."
STS Commercial fined £60k for 270k spam text messages without recipients’ consent.
Noble Design and Build of Telford fined £5k for failing to register with the ICO and failing to respond
to the ICO’s information requests.
The company operates CCTV systems across Sheffield.
BT fined £77k for bulk email to 5m customers in December 2015.
BT thought their “donate to charity here” emails were not marketing and sent them to customers who had
opted out or hadn’t consented to marketing. The ICO saw it as marketing for those charities and not part of BT’s service.
Gloucester Police fined £80k for revealing identities of abuse victims in a bulk email in December 2016.
The email was sent to (rather than BCC) 56 addresses potentially including victims, witnesses, lawyers and journalists.
Email presents considerable transfer and storage risks to all organisations.
Bible Society fined £100k after their network was hacked in December 2016 and 417,000 supporters’ details accessed
including card and bank data. A user account, whose password was the same as the username, could be accessed from
outside their network. Ransomware was deployed through that account,
using a variant that extracted data, as well as encrypting local data and requesting money.
Ticketmaster revealed a major data breach impacting up to 40,000 customers from February 2018 to June 2018.
Reports suggest malware running on a third party supplier (Inbenta Technologies) caused the breach.
This really highlights the importance of
due diligence on the supply chain, which is often severely lacking. Also concerning are the
Monza bank reports that they told Ticketmaster about the breach on 6th April, when they noticed 70%
of their fraud cards had previous genuine transactions at Ticketmaster. This is likely to be one of the first cases
to be recieve a GDPR sized fine. We await the ICO's action.
Uni of Greenwich fined £120k after a website hack (SQL Injection and subsequent php exploits)
gave access to 19,500 personal records with 3,500 health details. Data was posted online in January 2016.
IAG Nationwide fined £100k for calling 69k people who had registered on TPS, in 2017. 506k calls were made in total.