UK Authority Warns Small Companies: “Data Protection Laws Apply to You” Fining an SME £60,000 for Failing To Take Basic Steps
The UK Information Commissioner’s Office sent a clear signal last month that it is paying close attention to the data protection measures taken by small and medium sized companies. In a statement published June 27, 2017 titled “Warning to SMEs as firm hit by cyber attack fined £60,000” (i.e. about $80,000 U.S.), the ICO announced an action against Boomerang Video, a small Internet company based in Berkshire, England, for failure to take appropriate steps to secure customer information.
ICO enforcement manager, Anne Poole said:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
Boomerang Video operates a website that enables its customers to rent video games via a payment web application. The website was developed in 2005 by a third-party company. Boomerang Video was unaware that the login page contained a coding error. An attacker exploited this vulnerability to gain access to usernames and passwords hashes for one part of the site. The attacker then further compromised the system, including its encryption measures, and gained access to the personal data of individuals. In the end, it accessed the details of over 26,000 customers.
The ICO fined Boomerang because it failed to conduct regular penetration testing on its own site, failed to have a sufficiently complex password for its back-end login, and failed to keep its decryption key secure.
Among the aggravating factors in the case that the ICO noted was that Boomerang was not aware of the breach until 30 days after it occurred when it was notified by customers. It further noted that Boomerang had assessed itself to be compliant with applicable security standards, even though it had not carried out necessary testing.
In short, Boomerang hadn’t been paying attention.
The ICO decision is an important reminder that companies of all sizes must stay attentive to data protection and security requirements. Data protection, privacy and security are not only the concern of large companies – data protection authorities understand that small and medium sized companies manage large amounts of personal data. They also know that data protection and security must be addressed across the market, and that smaller enterprises can create a weak link that opens systems to risk.
Data protection and smart data governance are the concern of all companies. Failing to recognize this exposes companies to money sanctions and compromise to brand and reputation. This ICO decision is a bellwether, as the GDPR that comes into effect in May of next year will give protection authorities yet another means of making sure companies take necessary steps to manage and protect personal data responsibly and in keeping with laws and regulation.
Achieved Compliance – helping you navigate the complex world of data compliance.
Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.
For more information as to how we can help your organization be GDPR compliant please contact firstname.lastname@example.org.