Twice bitten – have DSG / Carphone Warehouse NOT learnt anything? In 2018 Carphone Warehouse was fined £400,000 by the Information Commissioner after one of their computer systems was compromised as a result of a cyber-attack in 2015. So, you would be forgiven for thinking that they would have swiftly made sure all of their other systems were updated and safe as houses. It appears not as systemic failings continued, and another major breach occurred between July 2017/April 2018. This time they have been fined the maximum penalty of £500,000 (the most they can be fined under the old rules that applied at the time of the breach). If it happened now, the fine could be 4% of turnover. Again, they had done the right thing in commissioning a report into the state of their systems, but it appears had not taken the steps the report identified to fix those problems. Once looks unfortunate, twice looks..... well you make your own mind up. This time it was the point of sale (POS) systems, the little card readers where we all pay for our new fridge, TV and computers, that were breached. The attacker was able to install malware on 5,390 Point of Sale (POS) terminals in Currys PC World and Dixons Travel Stores, and they merrily collected the details of 5,646,417 payment cards. In addition, the attacker was able to export data out of DSG's internal servers, including records relating to approximately 14 million data subjects, containing non-financial information (e.g. name, postal addresses, mobile and home phone numbers, email addresses, dates of birth and failed credit checks) but that is the kind of information your cyber thieves want as well. The ICO fine is the least of DSG's worries, with potentially 14 million compensation claims by unhappy customers for many of whom this could be the second time their data has been stolen by criminals. If each claim for just the 5 million card holders was to be around £10,000, that would create a potential liability of £50 billion. Even it was only £1,000 per claim (and it wouldn't be as this kind of data loss falls into the substantial distress range, and thus substantial compensation range) that would take some paying. It is also the kind of liability DSG would have to make a provision for in their accounts which would mean farewell to dividends for a while. The SEC in the USA stated that Equifax must make disclosure and provisions in their accounts following the major breach they suffered a couple of years ago. It makes sense as far as we can see. DataGuardsman® February 2020 www.dataguardsman.co.uk

Morrisons Supermarkets have been confirmed as being responsible for the wrongful actions of their employees who have authority to have and use personal data as part of their employment, even if they then wrongfully use it. What all employers need to do is look at what they have authorised employees to do with personal data, check if it can be made safer and implement appropriate technical and organisational measures. This is not startling news as vicarious liability of employers for the acts of their employees is a long standing legal concept. It can be insured against but taking simple actions to protect personal data is the strongest protection a business can implement.

There is a view that once an individual demands that a business removes all its records on that individual, the, “right to be forgotten,” that it must then comply with the request. That is clearly incorrect, or it would mean an individual could take out a loan for £50,000 today, then tomorrow demand the bank forget all about it. There are risks, however, for those businesses that have not paid attention to the content of their Privacy Notices – because if it is not clear why the business has data, or not set out what it uses it for, then the individual can demand the data is removed. This will cause difficulties for many businesses, not just large ones. The understanding of what is collected by way of personal data, what it is used for, why, where it is shared is all critical now for every business to understand. Business can no longer ignore this critical issue of personal data (and don’t forget, business people are people too). Privacy Notices are a crucial protection for business. Spend time getting them right.

Court awards employee £9,000 under the Data Protection Act 1998 and Human Rights Act because their employer used personal information for a purpose which was not set out in their privacy notices to the individual employee.

In January 2017 the Information Commissioner fined two businesses for electronic marketing they carried out after accessing lists provided by data brokers. Although the buying companies had made sure the data broker had warranted the contacts were clean and fit for use, it turns out that they weren’t. One company was fined £40,000 and the other was fined £50,000. Could you pay those fines?