IICSA fined £200,000 for e-mail data breach
A simple mistake of sending an e-mail to recipients in the ‘to’ field instead of the ‘bcc’ field has led the Information Commissioner’s Office to fine the Independent Inquiry into Child Sexual Abuse (the IICSA) £200,000 after such a mistake led to an e-mail being sent out containing the possible identities of historic abuse victims.
Despite the efforts of the IICSA asking the recipients not to circulate the e-mail, the e-mail was subject to multiple recipients selecting the ‘Reply All’ field adding additional e-mail addresses to the recipient list.
It is noteworthy that this case was dealt with under the Data Protection Act 1998 (the 1998 Act) provisions and maximum penalties (because of the date of the breach) and not under the new Data Protection Act 2018 (the 2018 Act) which has replaced it. The date of the IICSA breach was 27 February 2018, and the 2018 Act came into force on 25 May 2018.
Such cases being dealt with under the 2018 Act could face fines under section 83 which defines the “higher maximum amount” as up to £17 million or 4% of total annual worldwide turnover, whichever is higher – the maximum fine under the 1998 Act is £500,000.
This once again serves as a reminder to all of those who hold personal details of ‘data subjects’: be careful and diligent!
So what are some of the key points that you and your business should take away from this case?
- Staff should be provided with (at the least ‘adequate’) guidance and training on the value of double checking that participants’ e-mail addresses are inserted into the correct field (i.e. ‘bcc’) – and of course that only the correct recipients are copied into the e-mail!
- Do you share customers / clients email addresses with a third-party IT company? If so, ensure that you have the consent from the recipients to do so, and check that the IT company managing mailing lists has its own safeguards and procedures in place to deal with data breaches.
- Do you have a facility whereby you can use an e-mail account which could send a separate e-mail to each recipient? It may be worth your time enquiring about this with your / an IT provider.
- Having robust policies and procedures in place will help you identify data breaches and react to them as quickly as possible – and it may even stop a possible data breach occurring in the first place!
What can Chattertons do for you?
We offer a full, tailored and holistic service to our clients and as such we have a number of Solicitors/specialists who can advise in relation to all data protection and GDPR matters.
If you would like any further details in relation to data protection and GDPR compliance or if you would like to discuss your specific needs and requirements, please contact your most convenient office or complete our online enquiry form on the right hand side of this page or, if you would prefer, contact a team member directly.