ICO announced record fine on TalkTalk in relation to cyber attack

On 5 October 2016, the Information Commissioner’s Office announced that it had imposed a record fine on TalkTalk in relation to the cyber attack suffered by TalkTalk last year. Click here for the official announcement.

The following key points arise out of the ICO’s decision and comments:

• TalkTalk was fined because the ICO concluded that it had not done enough to prevent the attack and had not spotted earlier attacks.  Many companies are victims of an attack, but the ICO will only levy a fine if it considers that the company did not take reasonable steps to prevent it.  This is an example of the ICO punishing a company for allowing itself to be a victim.
• The ICO is clearly keen to use this case as a wake up call to boards and senior management that cyber security is a board issue, not just an IT issue.  It can be seen as part of the current regulatory drive to hold senior management to account for failings within their organisation.
• The case is a stark warning of the potential dangers of acquiring other companies with less secure IT systems (as the hackers gained access through vulnerable websites of a company acquired by TalkTalk 6 years previously).  It highlights the need for very careful due diligence of the cyber resilience of any company being acquired.
• The fine is close to the maximum £500,000 that the ICO is currently able to impose.  However, when the EU General Data Protection Regulation comes into force in May 2018, potential fines will increase dramatically as the ICO will be able to impose fines of up to €20 million or 4% of a company’s annual global turnover (whichever is the greater).
• Individuals whose data was compromised may now try to use the ICO’s ruling as a basis for compensation claims against TalkTalk.