Data Protection News Sept 19

Head of Data Governance and Compliance of Leading Resolutions Maria McCoy examines:

Q3 2019 Round-up of Data Breaches and ICO Fines
Two big GDPR-level fines announced by the ICO
The Dawn of Data Ethics
November 28 2019
Two Big GDPR Fines

On the 8th July 2019, the ICO announced its intent to fine British Airways £183m for two cyber-attacks which exposed the data of over half a million customers.  The attacks were carried out by Magecart Group, an organisation that also attacked Ticketmaster and Newegg in 2018.  This fine represents approximately 1.5% of BAs total revenue for 2017.

The following day, the ICO also announced its intention to fine Marriott International Inc. £99m for a data breach of 339 million guests, 30 million of which were from 31 countries in Europe. It is believed that this systems vulnerability began in 2014 but was not discovered until 2018. The ICO has investigated this breach as lead supervisory authority on behalf of other EU members states.

Data Breaches

The number of Data Breaches reported in the media during Q3 was 123, with the number of estimated records breached continuing the trend so far this year, at 3.5 billion this quarter. That makes 11 billion records exposed so far in 2019. The biggest global breaches from Q3 were:

  • Chinese smart home company Orvibo exposed 2 billion user device logs on their ElasticSearch server
  • Facebook – a dataset of 419 million phone numbers and Facebook IDs has been discovered online
  • Game maker Zynga – 218 million user details hacked
  • Dealer Leader left 198 million records of prospective car buyers exposed on an unsecure server
ICO Fines

Q3 of 2019 saw only three ICO fines totaling £390,000.  The six-figured fines this quarter were:

  • Making It Easy Ltd fined £160,000 for making calls to individuals registered with TPS
  • Superior Style Home Improvement were fined £150,000 also for making calls to individuals registered with TPS

More detailed information about ICO fines, see the ICO enforcement webpage:

The Dawn of Data Ethics

Ethics is the study of moral dilemmas and is routed in the ancient philosophical theories of Aristotle and Confucius.  We have developed practical applications of these theories whenever rapid changes in society occur that give rise to moral and ethical dilemmas. Examples of such changes are industrialisation, medical advancements and a paradigm shift toward environmental sustainability. Throughout history, we have managed to mitigate these man-made risks to society through the development of new regulations, global standards, education and ethical frameworks.

Similarly, in the last decade, there have been rapid developments in the data technology space, including big data, social media, AI and machine learning. This had led to a revolution in data privacy regulation and the development of data ethics frameworks around the globe. These philosophical and legal developments increasingly place human interests at the centre of this cultural movement.

Data ethics describe standards of behaviour, encompassing the following:

  • The ethics of data handling – how data is generated, recorded and shared sustainably and transparently
  • The ethics of algorithms – how artificial intelligence, machine learning and robots interpret data without unfair bias
  • The ethics of practice – codes of conduct for how to responsibly innovate in data technology

Ethical practices should consider not only what you intend to do but also consider how to protect against unintended consequences. Data ethics and innovation are not mutually exclusive but striking a robust balance between enabling innovation and respecting privacy and human rights is not an easy task.

Businesses are starting to recognise that they can use data ethics to increase compliance, build consumer and investor trust, protect against social bias and improve public perception. More visionary companies are therefore starting to embrace sustainable data use by positioning themselves within this movement – prioritising the development of privacy frameworks and recognising the value of individual data control.

However, it is not just about competitive advantage; sustainable data usage is also necessary for society as a whole. It plays a similar role as having robust environmental policies and practices – essential for company survival, but also for the planet’s welfare.

There is currently no one-size-fits-all solution for applied data ethics. We are on a journey of maturity and experimentation where regulation, technology and public perception are tested and adjusted on a daily basis.

Does your organisation have a clear moral stance on the appropriate use of data?

Note from the Author - Maria McCoy

Let me know your thoughts about Data Protection and by all means get in touch with me on LinkedIn / email with your comments and any questions. I’d love to hear how you are responding and of course answer any questions you may have.

Maria McCoy LinkedIn