It seems that the UK’s Information Commissioner (ICO) is getting into the habit of fining TalkTalk, the multiplay telco with an unenviable reputation for compromising customer data. The Commissioner has fined TalkTalk GBP100,000 (USD130,000) for not complying with the UK’s Data Protection Act. Per ICO’s press release:
An ICO investigation found TalkTalk breached the Data Protection Act because it allowed staff to have access to large quantities of customers’ data. Its lack of adequate security measures left the data open to exploitation by rogue employees.
This wording is sloppy, because the ‘investigation’ actually found the data was liable to exploitation by the employees of Wipro, a supplier to TalkTalk. Per the official penalty notice:
TalkTalk provided 40 Wipro employees with access to the relevant personal data of between 25,000 to 50,000 (sic) through the portal. [Presumably these numbers refer to customers.] No controls were put in place to limit access to the customers whose accounts were being worked on…
TalkTalk’s failings will hardly be news to customers, or even to the UK press. Wipro employees who sold TalkTalk customer data were arrested in 2016, and the many victims of the resulting ‘industrial-scale’ scams have received widespread coverage. One pertinent question raised by those victims is why ICO’s ‘investigations’ take so long; the relevant concerns were brought to ICO’s attention in 2015. But after two years of ‘investigation’ ICO was still not able to identify any link between weak data protection controls and the surge in scams blighting TalkTalk customers. ICO’s press release noted:
The ICO investigation did not find direct evidence of a link between the compromised information and the complaints about scam calls.
This story has many familiar features. A business is repeatedly caught failing to comply with rules designed to protect customer data, but only after customers suffer. If no customers suffered, then nobody would have known about the company’s non-compliance. Even when customers start howling about scams it takes years for the data protection authority to ‘investigate’ what went wrong, and that authority is incapable of proving anything beyond the weaknesses that the business has told them about. Those weaknesses reveal a non-compliance with a general principle, begging the question of what is an appropriate fine when there must be many other firms also failing to comply with non-specific principles. The quantitative decision of choosing the scale of the penalty contrasts with the subjective, imprecise and qualitative wording of the rule that was broken. However, the data protection authority finally has the courage to take ‘action’ because of all the negative publicity already generated.
In other words, data protection law can be used to punish businesses that fail to protect customer data, but only two years after the data has already been compromised, and ten years after the flaw which led to the breach was first identified by a business which decided to do nothing about it. Is it any wonder that we will keep hearing about breaches and fines when the apparatus for ‘protecting’ people is always so far behind? What this story really confirms is that the compliance mindset is inadequate. Ethical businesses need to proactively safeguard customer data without waiting to be told how, when or why.