Excerpt: 2011 Emerging Issues 5859
Summary: On June 9, 2011, the UK's
data privacy regulator, the Information Commissioner's Office, imposed its
biggest fine to date against a single data controller for breaching the UK's
Data Protection Act of 1998. The ICO issued a monetary penalty of 120,000 for
violations that arose out of three separate incidents in which emails
containing sensitive personal data were sent to the wrong recipients. Marc
Lederer discusses the implications of this.
Article: On June 9, 2011, the UK's data privacy regulator,
the Information Commissioner's Office (the "ICO"), imposed its
biggest fine to date against a single data controller 1 for
breaching the UK's Data Protection Act of 1998 (the "Data Protection
Act"). The ICO served Surrey County Council ("Surrey") with a
monetary penalty of £ 120,000 for violations of the Data Protection
Act that arose out of three separate incidents in which emails containing
sensitive personal data 2 were
sent to the wrong recipients. 3
Data Breach Incidents
The first incident occurred on May 17, 2010, and was the most significant of
the three breaches. A staff member of Surrey emailed an Excel file containing
Sensitive Personal Data 4 of 241
individuals to the wrong group email address, which contained the email
addresses of 361 transportation companies. The ICO noted that because the email
was not encrypted or password protected, it had the potential to be viewed by a
considerable number of unauthorized persons. The ICO also noted that the Surrey
staff member who inadvertently sent the subject email had expressed concern,
indicating that she was uncomfortable with her assigned task as she had limited
experience with computers, had not attended all appropriate IT training and was
unfamiliar with Excel. When Surrey discovered the error, it attempted to recall
the email and prevent further dissemination of the Sensitive Personal Data, but
was unable to conclude that all recipients had destroyed such information.
Surrey notified the affected individuals (or their representatives) of the
breach and reported the incident to the ICO. Within days following this breach,
Surrey drafted a safeguarding action plan that included a reminder to
management to provide IT training and guidance to employees.
The second incident occurred on...
Lexis.com subscribers can access the complete commentary; ICO Issues Its Largest Fine against a
Single Entity for Date Security Breach Additional fees may be incurred.
If you do not have a lexis.com
ID, you can purchase this commentary on the LexisNexis Store or you can access this commentary and
additional Emerging Issues Commentaries on the Store.
Lexis.com subscribers can access
the complete set of Emerging Issues Analysis for Cyberlaw & E-Commerce.
For more information about
LexisNexis products and solutions connect with us through our corporate site.
About the Authors:
Marc J. Lederer is a privacy law attorney at Willkie Farr
and Gallagher LLP in New York, NY. He regularly counsels clients on privacy and
data security issues. Mr. Lederer advises financial institutions as to
compliance with the numerous federal, state, and international privacy and data
security laws. Mr. Lederer can be reached by phone at 212-728-8624 or by email