ICO Issues a maximum £500k Fine to Facebook over Cambridge Analytica Data Breach

The ICO has confirmed that it has fined Facebook £500,000 for serious breaches of data protection law following the Cambridge Analytica case in March (see our related report here). This fine represents the maximum allowable punishment under the laws applicable at the time of the incidents.

According to the ICO's investigation, Facebook granted application developers the ability to access its users' data without obtaining their express consent, as well as having failed to impose checks on developers and apps using its platform. Accordingly, developers were able to harvest data of up to 87 million Facebook users and share some of it with organisations, including Cambridge Analytica, which were involved in political campaigning in the US. Moreover, even after Facebook had discovered the misuse of its users' data, it did not take sufficient steps to ensure that those who retained said data had taken adequate and timely remedial actions, including deletion. In its investigation, the ICO found that at least one million UK users' personal information was among the harvest data and who were subject to the risk of further misuse.

Accordingly, the Commissioner has reached the conclusion that Facebook had failed to protect the privacy of its users sufficiently before, during and after the unlawful processing of this data, and that a company of its size and expertise should have been aware and proactive. The ICO clarified that they view these contraventions very seriously, but that since the event occurred before the GDPR (which now gives the ICO the power to issue much higher fines) came into effect, the ICO imposed the highest fine possible under the Data Protection Act 1998. A similar fine was also imposed on the credit rating agency, Equifax Ltd, last month (see our previous report here).

Uber to Pay a Record Penalty of $148 Million in a Settlement Over a 2016 Data Breach

Uber Technologies, Inc. ("Uber") announced it has reached an agreement with the Attorney Generals of all 50 US states and the District of Columbia to resolve their legal inquiries regarding a data breach affecting its customers in October 2016.

Uber agreed to pay a record sum of $148 million as part of this settlement. The investigation, led by state attorneys general across the United States, focused on whether Uber had violated data breach notification laws by not informing consumers that their information had been compromised.

The settlement also requires Uber to adopt model data breach notification and data security practices as well as a corporate integrity program for employees to report unethical behaviour. Uber will also hire an outside firm to assess the company's data security and implement its recommendations.

The settlement follows a 10-month investigation into a data breach that exposed personal data from 57 million Uber accounts of both riders and drivers, including names, email addresses and phone numbers of 50 million Uber riders around the world and 600,000 registration numbers of driver vehicles. Uber did not report the data breach upon discovery, and instead paid hackers $100,000 to dispose of the evidence and for this incident to be concealed. This breach was first disclosed by the company's new Chief Executive, Dara Khosrowshahi, more than a year after the company was hacked.

The Federal Trade Commission ("FTC") had already initiated an investigation after the data breach came to light, and following settlement with Uber, added further provisions by virtue of inadequate data safeguards (see our first report concerning Uber's settlement with the FTC here).

Anthem Pays OCR $16 Million in Record HIPAA Settlement

Anthem has agreed to pay the Department of Health and Human Services' Officer Rights (OCR) $16 million and to take corrective action for its violations of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules. The violations were due to a series of cyberattacks that occurred between December 2014 and January 2015, which led to the largest health data breach in history, impacting nearly 79 million consumers.

In 2015, OCR received a notification from Anthem regarding cyber-attackers who gained unauthorised access to Anthem's electronic protected health information (ePHI) of 78,800,000 consumers. The OCR investigated Anthem's compliance with the HIPAA Rules, and found that Anthem had potentially violated several provisions. In order to avoid further investigation and formal proceedings, Anthem has now agreed to pay the amount of $16 million, and to undertake a corrective action plan according to which it will have, inter alia, to:

  • Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities as to the confidentiality, integrity and availability of ePHI held by Anthem;
  • Review and revise, as necessary, its written policies and procedures which are addressed by the Security Rule, namely: information system activity review and access control, and make them available to members of the Anthem's workforce who are subject to them, for example, through its intranet; and
  • Submit a written report, which shall include its approval regarding the abovementioned policies and the implementation of procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.