This week it was announced that the Information Commissioner’s Office (‘ICO’) has dropped an investigation into a hack affecting nine million easyJet customers because it has said that its “limited resources” are better used elsewhere. The security of personal data has become a paramount concern for organisations and individuals – but what are the implications of a data breach?
What happened?
In January 2020 easyJet became aware of a “highly sophisticated cyber-attack” which targeted customer’s email addresses, travel details and credit and debit card details. It has not provided details about the nature of the attack or the motives, but it was so severe that easyJet bosses called in GCHQ’s National Cyber Security Centre to help it deal with the fallout.
The ICO confirmed that it will be issuing no penalty to easyJet saying it had to “make difficult choices about which issues we take forward”.
What is a personal data breach and when do I need to report it?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The vital consideration is whether the breach poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms following the breach and if you think there will be a risk then you must notify the ICO within 72 hours of becoming aware of the breach. It usually takes half an hour to complete.
What is the ICO’s role when you suffer a data breach?
The ICO will work with you and provide advice about the next steps you should take. It will then ask you questions about your customers, your accounts, your security mechanisms in place at the time of the attack and any data protection and security improvements you have made since the attack.
The ICO has the power to issue a monetary penalty for failing to protect the rights of the data subject (Part 3 UK GDPR) and there are two tiers:
1. The standard maximum fine: £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year (whichever is higher); or
2. The higher maximum fine: £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year (whichever is higher).
Before issuing a penalty, the ICO will send you a notice of intent with its proposed penalty and how it calculated that figure. If you disagree with the content of the notice of intent you can make written representations and are given at least 21 days to do so. The ICO will consider these representations prior to its final determination in a penalty notice.
Penalty notices are published on the ICO’s website.
Are there mitigating factors?
Yes and written representations provide a good opportunity to highlight these. They include factors such as:
· Apologising to customers and taking remedial action following the breach.
· Seeking to address security concerns and engage with third party experts to increase the security of systems following the breach.
· Implementing procedures so that all staff undertake data security and protection training at the commencement of their employment.
· The data breach having a significant impact on an organisation’s reputation.
Is there any early payment discount?
No. The ICO no longer offer payment reductions for cases considered under the UK GDPR. It will, however, consider any financial hardship or payment difficulties if these are submitted in written representations.
How can Tozers help me?
If you have been subject to a data breach, we can support you through the process. Upon receipt of a notice of intent we can discuss mitigating factors and prepare written representations to the ICO to challenge the level of the proposed penalty.
Tozers expert lawyers can assist you with a broad spectrum of data protection issues, including data breaches. Contact us to speak with one of our expert lawyers today.