The Cost of Losing Personal Data: Sony, The Money Shop, South Wales Police and Carphone Warehouse

The Information Commissioner’s Office (ICO) is responsible for holding companies and organisations (who hold personal data) to account when they breach the Data Protection Act (DPA) by, for example, not using appropriate technical and organisational security measures to prevent loss of personal data.

Monetary Penalties

The ICO was once seen as a bit of a toothless organisation due to its limited ability to fine those in breach of the DPA, however they currently have the ability to fine those infringers up to £500,000 and they are not being shy about using this power.

On 11 May 2015, the ICO fined South Wales Police £160,000 after it lost a video interview with a victim which formed part of the evidence in a sexual abuse case. The DVDs containing the interview were unencrypted and left in a desk drawer. On 4 August 2015, the ICO fined Instant Cash Loans Ltd (trading as “The Money Shop”) £180,000 after it lost computer equipment containing a large amount of customer details. The data had not been properly encrypted.

We have heard over the weekend that the ICO is “making enquiries” in relation to reports that personal data of up to 2.4 million Carphone Warehouse customers, may have been taken during a cyber-attack that was discovered on Wednesday afternoon. In January 2013, Sony was fined £250,000 by the ICO after the Sony Playstation Network was hacked which compromised the personal data of millions of Sony’s customers. The ICO found that the attack could have been prevented if the software used had been up-to-date and that technological developments meant that passwords were not secure. Carphone Warehouse will therefore come under significant scrutiny from the ICO to show that they did have appropriate safeguards in place otherwise they may be next in line to receive a large fine.

Companies and organisations should be taking note that the ICO is willing and able to issue large fines in this area and they should be ensuring that their organisational and technological data security procedures are appropriate and, importantly, are kept up-to-date.

Civil Remedies

Companies and organisations should bear in mind that they are not just at risk of a monetary fine from the ICO.

Individuals who have suffered “damage” as a result of a breach of the DPA by a data controller may be able to claim compensation from that data controller through the courts (the ICO does not award compensation). Such “damage” can include financial loss and, in certain circumstances, distress (however if there is no financial loss then it will not be possible to claim for distress alone).

If you wish to discuss any of the issues raised in this article please contact Nick Phillips – Partner, Charlie White – Associate, or any member of the Edwin Coe Intellectual Property team.

Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.

Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.

Please also see a copy of our terms of use here in respect of our website which apply also to all of our blogs.