TalkTalk were fined a record £400,000 yesterday by the ICO for a very poor level of cyber security which is close to the maximum under current UK legislation. This is a wake up call for businesses handling personal data in the UK as fines will be much higher under the new regime. Dido Harding may be regretting that she did not obtain an independent view of her cyber safety levels and allowed her IT team to mark their own homework.
The Yahoo hack has made the news but most of the focus has been around its scale in terms of numbers of email addresses. The class action suit available HERE alleges under Count V Negligence. The specific wording is "Defendant owed a duty to Plaintiffs and the other class members to exercise reasonable care in safeguarding and protecting their PI and financial information in its possession from being compromised, lost, stolen, misused, and/or disclosed to unauthorised parties".
Further in the suit it is suggested that that the identity thieves may wait for years to use the information gained and that therefore class members will need to be vigilant for years or decades to come.
The combination of negligence and the potential for decades of required monitoring points to a potentially huge damages number. This could be the end of the road for Yahoo and open the way for personal negligence claims against Directors in this area.
Taken together the regulatory regime in terms of personal data is significantly tightening up and the associated risk level is beginning to become clear.
