TalkTalk could have faced £70m fine under GDPR

talktalk-newTalkTalk has expressed its “disappointment” at the £400,000 fine dished out by the Information Commissioner’s Office over last October’s data breach, despite criticism from some quarters that it got off lightly and that under the new EU data laws it could have faced a £70m penalty.
The timing of the fine is hardly ideal, TalkTalk has this week launched a new ad campaign under the strapline “And this is the stuff that matters”. The ‘fly-on-the-wall’-style ad, by CHI & Partners, is designed to show just how much being connected matters.
In a statement on its website TalkTalk said: “[We have] cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.”
But Mishcon de Reya’s Cyber Security Lead Joe Hancock said: “£400,000 is still a relatively small fine compared to the potential fines that will be levied under the General Data Protection Regulation (GDPR) – the greater of up to 4% of global turnover or €20m. For TalkTalk this could have been over £70m.
“The question now remains whether the responsibility for the fine is with TalkTalk itself, or should be shared between their service providers and suppliers. These issues are likely to become more pressing as the size of fines increases under GDPR.”
And Mark Skilton, a Professor of Practice at Warwick Business School, called the ICO fine “little more than a sting to TalkTalk’s finances”. He pointed out that even by factoring in the reported numbers of 157,000 personal details and the 16,000 who had bank details stolen, it still only equates to £2.50 per head or £25 per person who lost banking data.
He maintains that the fine shows little regard for the possible risks and lack of due diligence of a company with 4 million subscribers.
“Even if liability insurance may have covered the possible losses of those customers, it still raises questions over digital risk governance and how necessary it is for corporates to take it seriously.
“The money from the £400,000 fine could have been invested in better security staff in the organisation and further investment in cyber monitoring and response detection, but it raises the question over current legal punitive measures that focus on specific losses as opposed to corporate responsibilities.”

Related stories
TalkTalk rocked by record £400k fine for data breach
TalkTalk flayed over brutal treatment of pensioner
TalkTalk hits back at ‘worst customer service’ claim
TalkTalk claims bounceback despite slump in profits
Coppers told TalkTalk to keep schtum over breach
Three held at TalkTalk call centre for data theft
TalkTalk chief hits back: we’re just the punchball
TalkTalk under fire as 4m customers hit by hack

Print Friendly