Not fit for purpose
1 grand fine - what's the point? Should have been serious money
Typical Talk Talk appealing even that paltry amount
TalkTalk has lost its appeal against the Information Commissioner's Office decision to fine the company £1,000 for a data breach last year. The ICO imposed a monetary penalty on TalkTalk for its failure to notify the Commissioner of a personal data breach within 24 hours after its detection, in circumstances it considered were …
The point is to make a point, that they were in breach.
The point of appealing was to try and reverse that point.
The fact that the actual amount of money is basically meaningless proves that this is about making quite important points, not about the money.
Talk talk may be pretty awful, but their behaviour in appealing this is perfectly logical.
"Talk talk may be pretty awful, but their behaviour in appealing this is perfectly logical."
It's only a logical course if action of their lawyer can point to something in the law which s/he thinks might prove the case in their favour. This was pretty cut and dried. The breach, by definition, had already happened and it should not have. It was clearly their fault for not doing a proper security audit. Even if they had paid for an external security consultant to do the audit and s/he was incompetent, that's still TalkTalks fault. The buck has to stop somewhere. They could, of course, then go on to sue an external agent if they thought they got a bum deal from said agent
They went to all the hassle of lawyering up to contest a £1000 fine? Considering the costs incurred by the ICO in defending their decision against the appeal I'd have considered a min 100x increase to be appropriate punishment for such an egregious appeal.
I accept they may have been trying to reverse the conviction rather than the nominal amount of the fine but if Dido's contrite wailings* had any credence they would have paid up, written off the £1k to experience, booked a gain from having deprived the lawyers of their hundreds of billable hours (or even spent the savings on some proper IT security bods) and moved the fuck on.
*Yes, I know. During that performance I was half expecting a caption to flash up, "Members of the Academy: Vote now!"
They went to all the hassle of lawyering up to contest a £1000 fine?
In this case that's the biggest fine the ICO can offer for late notification. However, as a general rule, the fines (or "monetary penalties") that UK regulators impose are decided by a range of factors, including a particular consideration of the track record of offenders. If TT can get out of the £1k fine, it will have a bearing on future penalties for next time they screw up. With the ICO only handing out a theoretical maximum £500k fine for major breaches that still doesn't matter. But under the EU GDPR fines could be very serious from May 2018, and that's probably what is being played for here.
The Remainderers will weep and gnash their teeth and say that Brexit means we won't have any protection under GDPR because it probably won't be enforced during the leaving period. In strict terms that's not proven, but even if that is the case I would suggest that the UK government will not wish to have the weakest data protection regime in the developed world (and a system that prevents data transfer from the EU), so a UK act of similar standards is a near certainty.
So for TalkTalk, appealing the penalty makes economic sense, since even the smallest chance of success is worth hoping for.
"They went to all the hassle of lawyering up to contest a £1000 fine?"
The fine is from the ICO.
The consequent exposure to private legal action is virtually unlimited and the ICO fine makes it uncontestable as the court will see it as proof that they were deficient under the act.
This post has been deleted by its author
as long as precedent set of £1000 fine per individual whose data are compromised, and as long as that passes on to every other breach by TalkTalk, then this isn't a bad start for punitive element. Provided, of course, there's also compensation to the individuals concerned, of at least twice the amount put at risk in each case.
That's kind of what gets me in these situations. A company like TalkTalk messes up and spills millions of their customers' personal data across the net. Regardless of whether the company get fined or not for their lack of security, those who are actually hurt by the company's negligence don't see a penny of it. Instead, whenever the victim of a data breach is subsequently the subject of bank / identity fraud, they are usually blamed for having poor security / bad passwords.
A combination of stiffer fines and enforced refunds are definitely in order, I feel.
"A combination of stiffer fines and enforced refunds are definitely in order, I feel."
...and the CEO given a box, five minutes, then escorted from the premises with all contacts terminated.
And rather than complaining she should feel lucky she wasn't given a sword and an empty patch of floor space.
Because until the fucking management feels hurt in these situations, they will continue, as will the idiotic fines.
"TalkTalk has lost its appeal against the Information Commissioner's Office decision to fine the company £1,000 for a data breach last year."
I should hope they did lose their appeal. The only appeal Talk Talk need to make is an appeal for forgiveness from all the people affected by their lacklustre security.
The handling of these hacks and breaches by Talk Talk has been appalling. Talk Talk won't be able to restore their reputation by appealing fines for data breaches.
"Talk Talk won't be able to restore their reputation by appealing fines for data breaches." You being serious? At this stage in its life cycle,TalkTalk doesn't give a bugger about "reputation". All it cares about is fishing the moron pool to exhaustion. When there's a final irreversible decline in the number of morons signing up for its services, then and only then will it think about 'reputation' -- as in, how much value might be attached to the TalkTalk name, now that the business is up for sale. . .
I can imagine that there was a bug in TalkTalk's bug tracker along the lines of "under specific circumstances a customer might see another's data" which was marked down in priority over adding a specific new feature like "add another advert on the page for TalkTalk's products".
I can also imagine that the developers probably shouted out this needed to be investigated and fixed, and requested more hardware and QA/testing staff to work on it, and they were told that giving Dido and other directors a bigger bonus and a new car was more important.
And I can imagine that when the bug went public, the developers would have been berated for not fixing it.
Of course she is.
In the circumstances, your annual Capitalism training course has been brought forward to September to clarify your uncertainty on this fundamental premise of our society.
War is peace. Freedom is slavery. Ignorance is strength.
Resistance is futile.
Every week on BBC consumer shows there are victims of TalkTalk Hack and the TalkTalk data sale (when IT company in Inida it appointed had employee that sold data).
One lady lost £7000,
How about a fine of £1000 per person whose data was stolen, they were saying it was arounf 159,000 customers but I suspect it is in the millions, how could they even know.
Companies of such a size can take precautions to prevent a hack and THERE IS NO EXCUSE for and IT aware company like TalkTalk to have allowed themselves to be hacked.
Never minds selling off BT wholesale (which TalkTalk are always pushing for) how about we sell off TT biz ?