ICO Issues Its Largest Fine against a Single Entity for Date Security Breach

ICO Issues Its Largest Fine against a Single Entity for Date Security Breach

Excerpt: 2011 Emerging Issues 5859

Summary: On June 9, 2011, the UK's data privacy regulator, the Information Commissioner's Office, imposed its biggest fine to date against a single data controller for breaching the UK's Data Protection Act of 1998. The ICO issued a monetary penalty of 120,000 for violations that arose out of three separate incidents in which emails containing sensitive personal data were sent to the wrong recipients. Marc Lederer discusses the implications of this.

 

Article: On June 9, 2011, the UK's data privacy regulator, the Information Commissioner's Office (the "ICO"), imposed its biggest fine to date against a single data controller 1 for breaching the UK's Data Protection Act of 1998 (the "Data Protection Act"). The ICO served Surrey County Council ("Surrey") with a monetary penalty of £ 120,000 for violations of the Data Protection Act that arose out of three separate incidents in which emails containing sensitive personal data 2 were sent to the wrong recipients. 3

Data Breach Incidents

The first incident occurred on May 17, 2010, and was the most significant of the three breaches. A staff member of Surrey emailed an Excel file containing Sensitive Personal Data 4 of 241 individuals to the wrong group email address, which contained the email addresses of 361 transportation companies. The ICO noted that because the email was not encrypted or password protected, it had the potential to be viewed by a considerable number of unauthorized persons. The ICO also noted that the Surrey staff member who inadvertently sent the subject email had expressed concern, indicating that she was uncomfortable with her assigned task as she had limited experience with computers, had not attended all appropriate IT training and was unfamiliar with Excel. When Surrey discovered the error, it attempted to recall the email and prevent further dissemination of the Sensitive Personal Data, but was unable to conclude that all recipients had destroyed such information. Surrey notified the affected individuals (or their representatives) of the breach and reported the incident to the ICO. Within days following this breach, Surrey drafted a safeguarding action plan that included a reminder to management to provide IT training and guidance to employees.

The second incident occurred on...

Lexis.com subscribers can access the complete commentary; ICO Issues Its Largest Fine against a Single Entity for Date Security Breach   Additional fees may be incurred.

If you do not have a lexis.com ID, you can purchase this commentary on the LexisNexis Store or you can access this commentary and additional Emerging Issues Commentaries on the Store.

Lexis.com subscribers can access the complete set of Emerging Issues Analysis for Cyberlaw & E-Commerce.

For more information about LexisNexis products and solutions connect with us through our corporate site.

About the Authors:

Marc J. Lederer is a privacy law attorney at Willkie Farr and Gallagher LLP in New York, NY. He regularly counsels clients on privacy and data security issues. Mr. Lederer advises financial institutions as to compliance with the numerous federal, state, and international privacy and data security laws. Mr. Lederer can be reached by phone at 212-728-8624 or by email at mlederer@willkie.com.