25 July 2014
Parliament set the DPA 1998 Monetary Penalty threshold at breaches which were ‘likely to cause substantial damage or substantial distress’ for good reason. The latest MPN again fails to explain how this test was satisfied.
The ICO issued another MPN in relation to a breach of the DPA yesterday. A limited company, Think W3 Limited (owned by Thomas Cook) was fined £150,000 by the ICO following its website being hacked by a sophisticated hacker who obtained details of over a million customers credit and debit cards. Crucially the CVV numbers of the cards were not accessible. So in reality it is in unlikely the stolen information could have been used to purchase goods over the telephone or from websites.
The ICO decided that because the hack was able to be carried out, a serious breach of the seventh data protection principle had occurred and therefore considered that a MPN was appropriate. The ICO also felt that the breach was of a kind likely to cause substantial damage indicating that the information “could be used for fraudulent transactions/purposes”. There was no further information in the MPN as to how this was likely, for example, without the CVV number. Given that the ICO stated that this was “presumably a targeted attack” and also that there was no evidence or confirmation of fraudulent action having taken place – the question is – how likely is it to occur? It is accepted that actual fraud/damage is not required, but the Upper Tier Tribunal (Niebel appeal) has recently ruled that the term “likelihood” requires there to be a significant risk [of fraud], even if the risk falls short of being more probable than not. We see no explanation of the ICO's reasoning in deciding that fraud was likely contained in the Think W3 MPN decision notice.
Instead it is disappointing to note that the ICO’s reasoning in relation to the “likelihood” of “substantial distress” continues to display the reasoning and logical non sequiturs previously criticised by the First Tier Tribunal in the Scottish Borders MPN appeal. The data subjects did not know of the hack but, if they were told, the act of imparting knowledge of the hack would be likely to cause them substantial distress. This opaque process of cumulative assumptions gives no indication of the factor that actually engages section 55A DPA.
It is interesting to note that the aggravating features the ICO listed in this case were that the data controller is a limited company and so liability to pay a fine will not fall on an individual; and that there will be sufficient financial resources to pay the fine without causing undue financial hardship. This is in complete contradiction of the approach outlined in the ICO’s own Framework for Determining Monetary Penalties which states that step 2 in the process is that the ICO should take into account aggravating and mitigating factors as follows:
Step 2 – aggravating and mitigating factors
The panel may increase or decrease the amount of the monetary penalty arrived at after Step 1 to take into account factors which aggravate or mitigate the contravention. The factors that may have the effect of aggravating or mitigating the contravention are not those that relate directly to the breach, e.g. the nature of the data or number of data subjects. They are factors such as the behaviour of the data controller following the breach, whether the data controller had previously declined to submit to an audit, the general record of the data controller and any other factors taken into account that were not considered at Step 1. However, the likely financial impact of a monetary penalty on the data controller will not be considered at Step 2.
Although the financial impact on the data controller is a consideration set out in the Framework, according to the ICO’s own document, this should be done at stage 3. It may seem like semantics, but there is a framework for good reason. It mirrors the standard approach to sentencing (see for example the Guidelines in relation to Corporate Manslaughter), but the ICO seems routinely to ignore its own Framework. The ICO has indicated that financial circumstances are only really relevant when proof of genuine financial hardship has been supplied and therefore the size, turnover and profit/loss accounts of the company are not really relevant. As clearly stated at the Scottish Borders hearing, the fact that the money comes from the public purse and may impact on the public rather than shareholders is not significant either.
Finally it is worth noting that in this MPN the fact that the loss of data was voluntarily reported to the ICO is deemed to be mitigation. This is an approach that we agree with. However this is in contrast to the position stated by David Smith at the Scottish Borders hearing where he indicated that self-reporting of an incident would not reduce the fine, but a failure to report may increase it. This approach was received with some surprise by the Tribunal at the time and rightly so in our view.
The Think W3 contravention was considered “very serious” by the ICO which means that it falls into the range of fines of between £100,000 and £250,000. The ICO has explained that it first categorises a breach as ‘serious’ or ‘very serious’ or ‘most serious’ and then its starting point is in the middle of the range as set out in the framework. So for a “very serious” breach the starting point is £175,000 and then the fine is increased or reduced by aggravating or mitigating factors as is seen fit. We leave you to decide how the ‘discount’ of £25,000 was reached here!
Paul Motion is a solicitor advocate with BTO Solicitors in Edinburgh. They acted for Scottish Borders Council in the appeal which is mentioned.