After receiving a record fine at the end of last year, the telecoms company TalkTalk has been fined yet again for failing to have appropriate technical and organisational measures in place to keep personal data secure.

The Information Commissioner’s Office (ICO) has fined TalkTalk £100,000 for breaching the seventh data protection principle under the Data Protection Act 1998 (DPA) for systemic inadequacies which were likely to cause substantial damage and distress.

The breach related to a TalkTalk portal which was used by service providers to access customer information. One such service provider was Wipro, a multi-national IT service provider based in India which resolved complaints and coverage problems on TalkTalk’s behalf.

The portal allowed 40 Wipro employees to access the personal data of between 25,000 and 50,000 TalkTalk customers without appropriate controls to restrict access. The ICO noted that Wipro employees could access the customer’s personal data from any internet enabled device, carry out wildcard searches to gain access to large numbers of customer records and were able to view up to 500 customer records at a time.

The breach was discovered by TalkTalk in September 2014 after customers complained of receiving scam calls where their address and TalkTalk account numbers were cited. Despite the ICO finding no direct evidence between the breach and the scam calls, it found that TalkTalk should have been aware of the risks and the likelihood of substantial damage or distress. Such damage and distress was likely to include the risk of individuals providing their bank account details to scammers and the uncertainty of how they might be adversely affected.

Furthermore, the ICO has highlighted that organisations are expected to be aware of the increasing number of scams of this nature and should therefore take reasonable steps to prevent any breach of data protection laws.

WAB Comment

This enforcement action shows that, unfortunately for TalkTalk, one investigation by the ICO is likely to lead to further investigations and therefore increase the likelihood of an organisation receiving multiple fines and repeated reputational damage.

It appears that TalkTalk may have been too trusting of their data processor’s security measures, a common problem for data controllers, particularly when contracting with large service providers which often have non-negotiable terms and conditions.

The ICO’s enforcement action demonstrates the importance of data controllers probing and questioning their processors’ systems and ensuring that they comply with applicable data protection laws.

The incoming General Data Protection Regulation (GDPR), which is due to come into force in May 2018, will place a new duty directly on data processors to comply with the GDPR and implement adequate security measures. However, data controllers will also be under a new obligation to demonstrate their accountability with the processing principles, including the principle to ensure appropriate security of personal data.

Under the GDPR, therefore, data controllers and data processors will both be liable for failure to comply with their obligations to implement appropriate security measures. What is not yet clear is how the regulator, in situations similar to this, will approach the apportionment of fines.

Details of the ICO’s enforcement action can be found here.

This blog post was written by Amelia Day, trainee solicitor at White & Black.