Nationwide Building Society Is Fined £980,000 ($1.9 Million): Has The European Data Protection Enforcement Framework Suddenly Changed?
In recent weeks, hefty fines for data breaches have been issued in the
European privacy officers often bemoan the perception that data protection regulators in the European Union lack any real enforcement power. Consequently, many businesses adopt a patchy approach to data protection compliance, gambling on the relatively low risk of being caught. Many privacy officers believe the prospect of a hefty fine to punish breaches, or the requirement to notify regulators and affected individuals, would act as a significant deterrent for companies, forcing them to take data security seriously. In recent weeks, the European compliance landscape has changed dramatically: notification of data breaches is being discussed widely and businesses have been punished for data breaches, receiving hefty fines. Surprisingly, these fines have not been levied by data protection authorities, but by other regulators with overlapping jurisdiction over data security. Data protection enforcement in
European Data Protection Enforcement
In November 2004, the Article 29 Working Party published its Declaration on Enforcement (WP101). In this paper, the Working Party committed itself to the development of proactive enforcement strategies and to an increase in enforcement actions. Specifically, it sought to promote awareness-raising activities, the development of codes of conduct and the provision of guidance and advice as an important part of the data protection compliance agenda. In addition, the Working Party acknowledged the importance of sanctions as a necessary means of ensuring compliance, and made reference to the possibility of EU-wide, synchronized, national enforcement initiatives.
The reality is that the majority of European data protection authorities have only limited power to impose sanctions for breaches of domestic data protection legislation. Despite the sentiments expressed in the Declaration, the reality is that the majority of European data protection authorities have only limited power to impose sanctions for breaches of domestic data protection legislation. Article 28(3) of the Data Protection Directive (95/ 46/EU) states that data protection supervisory authorities shall have investigative powers, effective powers of intervention and the power to engage in legal
proceedings. In most member states, the exercise of those powers is severely curtailed, if not by the detail of domestic data protection legislation then, in practical terms, by a lack of funding for enforcement proceedings.
The reality of data protection enforcement across
Against this background, there is an increasing level of discussion across
In addition to the growing movement toward a European data breach notification requirement, there have been two recent examples of enforcement in this area that have garnered the attention of the media and privacy officers alike. Both cases concern a breach of data security obligations, but the key feature of each is that it was a regulator other than a data protection authority that imposed substantial fines to punish the relevant companies. Overlapping jurisdiction over data security requirements and a determination by other regulators to take enforcement action for breaches suggests that regulated businesses (at the very least) have been warned that complacency in this area will not be tolerated.
Nationwide’s £980,000 Fine
On 14 February 2007, the U.K.’s financial services regulator, the Financial Services Authority (FSA), fined a large U.K. financial services business, Nationwide Building Society, £980,000 ($1.9 million) following the theft of an employee’s laptop from their home. The laptop contained customer data relating to some of Nationwide’s 11 million account holders. The FSA deemed Nationwide’s systems and controls for preventing and managing a security breach to be inadequate.
Nationwide informed the police, the Information Commissioner and the FSA of the theft. It was the FSA, exercising its broad supervisory jurisdiction to protect consumers and reduce financial crime, that fined Nationwide. Under the Financial Services and Markets Act 2000 (FSMA) and the Principles for Business developed under FSMA, a regulated business must take reasonable care to establish and maintain such systems and controls as are appropriate to its business. In Nationwide’s case, the FSA was highly critical of the fact that Nationwide’s systems did not monitor or manage large downloads of information to portable storage devices. Further, its information security procedures for staff were dispersed across multiple documents covering a broad range of issues with no search facility. Staff training was generic. Consequently, when the theft occurred, the employee reported the fact of the theft but made no mention of what was on the laptop. The employee then went on holiday for three weeks, during which time there was no further investigation.
The FSA found that:
· Nationwide had failed adequately to assess its information security risks;
· Nationwide’s information security procedures failed to manage the risks the business faced;
· staff was inadequately trained;
· there were inadequate controls in place to mitigate information security risks; and
· there were inadequate procedures in place to manage an incident involving the loss of customer information.
Although Nationwide settled the case at an early stage, receiving a 30 percent discount on the total fine of £1.4 million, the discounted fine of £980,000 remains substantial, particularly for a security breach. The FSA’s jurisdiction to impose a fine for a breach of FSMA is broad and the FSA had no hesitation making clear in its Notice to Nationwide that its objective in imposing the fine was not only to punish Nationwide but also to provide a deterrent to others.
Vodafone Fined €76 Million
Nationwide is not the only recent example of a regulator other than a data protection authority exercising jurisdiction over security breach issues in
Wider Regulatory Implications
If the facts of the Nationwide case were examined in light of the U.K.’s data protection legislation, the Data Protection Act 1998, it seems beyond doubt that Nationwide was in breach of the Seventh Principle (which implements Article 17 of the European Data Privacy Directive (EU95/46). That principle requires data controllers to ensure an appropriate level of technical and organizational security to protect personal data. The Notice issued by the FSA in the Nationwide case states that the
Similarly, in the case of Vodafone, it was a regulator with overlapping jurisdiction and a more proactive enforcement agenda that took action against conduct that might otherwise have fit squarely within the jurisdiction of the data protection regulator. Like in the case of Nationwide, the amount of the fine was intended not only as a punishment but also as a serious warning to others.
A U.S.-Style Security Breach Notification Law?
Attention is also focused in Europe on whether laws in the EU should require the mandatory notification of security breaches, along the lines of
More than 30 states have enacted similar laws. They differ, however, in several key respects: some include other media (e.g., paper); the definition of ‘‘personal information’’ sometimes differs from state to state; in some states a harm threshold triggers the notification obligation; and, in a number of states, regulators and credit reporting agencies must be notified of the breach (in addition to affected individuals).
Although there is a widespread security breach notification obligation in the
It is significant that the U.S. Federal Trade Commission recently formed a new division, called the Division of Privacy and Identity Protection, to handle data security and privacy issues. This signals a new focus on data security and information breaches in the
Next Steps in
There is no question that the heated discussion over the possibility of a U.S.-style data breach notification law has fueled the wider debate concerning effective data protection enforcement.
BY BRIDGET TREACY AND LISA SOTTO
Bridget Treacy (
This article does not provide a complete statement of the law. It is intended merely to highlight issues that may be of general interest and does not constitute legal advice.
First published in Privacy & Law Report, Vol. 6, No. 10, 03/05/2007, pp. Copyright _ 2007 by The Bureau of National Inc. (800-372-1033) http://www.bna.com