Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.

Insights

Lost in the Digital Skies: easyJet’s Data Breach Highlights Turbulence for the ICO

Posted on 09th November 2023 in Data Protection

Posted by

Jessica Whittick

Solicitor
Lost in the Digital Skies: easyJet’s Data Breach Highlights Turbulence for the ICO

This week it was announced that the Information Commissioner’s Office (‘ICO’) has dropped an investigation into a hack affecting nine million easyJet customers because it has said that its “limited resources” are better used elsewhere. The security of personal data has become a paramount concern for organisations and individuals – but what are the implications of a data breach?

What happened?

In January 2020 easyJet became aware of a “highly sophisticated cyber-attack” which targeted customer’s email addresses, travel details and credit and debit card details. It has not provided details about the nature of the attack or the motives, but it was so severe that easyJet bosses called in GCHQ’s National Cyber Security Centre to help it deal with the fallout.

The ICO confirmed that it will be issuing no penalty to easyJet saying it had to “make difficult choices about which issues we take forward”.

What is a personal data breach and when do I need to report it?

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The vital consideration is whether the breach poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms following the breach and if you think there will be a risk then you must notify the ICO within 72 hours of becoming aware of the breach. It usually takes half an hour to complete.

What is the ICO’s role when you suffer a data breach?

The ICO will work with you and provide advice about the next steps you should take. It will then ask you questions about your customers, your accounts, your security mechanisms in place at the time of the attack and any data protection and security improvements you have made since the attack.

The ICO has the power to issue a monetary penalty for failing to protect the rights of the data subject (Part 3 UK GDPR) and there are two tiers:

1.    The standard maximum fine: £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year (whichever is higher); or

2.    The higher maximum fine: £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year (whichever is higher).

Before issuing a penalty, the ICO will send you a notice of intent with its proposed penalty and how it calculated that figure. If you disagree with the content of the notice of intent you can make written representations and are given at least 21 days to do so. The ICO will consider these representations prior to its final determination in a penalty notice.

Penalty notices are published on the ICO’s website.

Are there mitigating factors?

Yes and written representations provide a good opportunity to highlight these. They include factors such as:

·      Apologising to customers and taking remedial action following the breach.

·      Seeking to address security concerns and engage with third party experts to increase the security of systems following the breach.

·      Implementing procedures so that all staff undertake data security and protection training at the commencement of their employment.

·      The data breach having a significant impact on an organisation’s reputation.

Is there any early payment discount?

No. The ICO no longer offer payment reductions for cases considered under the UK GDPR. It will, however, consider any financial hardship or payment difficulties if these are submitted in written representations.

How can Tozers help me?

If you have been subject to a data breach, we can support you through the process. Upon receipt of a notice of intent we can discuss mitigating factors and prepare written representations to the ICO to challenge the level of the proposed penalty.

Tozers expert lawyers can assist you with a broad spectrum of data protection issues, including data breaches. Contact us to speak with one of our expert lawyers today.

Contact our legal experts

Company & Industry

Related Insights

Insights

Police Force Issued with a £750,000 Penalty Notice by the ICO for an Unprecedented and Industrial Scale Data Breach

Posted on 09th October 2024 in Dispute Resolution, Data Protection

In a recent case involving the Information Commissioner’s Office (ICO) and the Chief Constable of Northern Ireland, the ICO issued a penalty notice due to non-compliance with UK GDPR obligations. The incident stemmed from a data breach that occurred during a Freedom of Information Act (FOIA) response. While FOIA requests are typically limited to public authorities, the lessons from this case are relevant to all businesses handling personal data. Read our latest insight for a breakdown of the key points.

Posted by

Jessica Whittick

Solicitor
Insights

Debunking Data Protection Part 2: Can I Use a Template Privacy Notice?

Posted on 05th September 2024 in Data Protection

In this new series of insights, we debunk common data protection misconceptions and explain how Tozers can help your business comply with the regulatory framework.

Posted by

Jessica Whittick

Solicitor