The Information Commissioner’s Office (ICO) has won an important Court of Appeal ruling on the scope of security duty and definition of personal data against DSG Ltd, the parent company of Dixons and Currys PC World (DSG), keeping their £500,000 fine over a major cyberattack. A full copy of the judgement is available here: DSG Retail Limited -v- The Information Commissioner - Courts and Tribunals Judiciary.
The case follows a cyber-attack on DSG which took place between 2017 and 2018 with attackers scraping transaction details from card readers. Although over 5.6 million cards were affected, in the majority of cases the Chip and Pin system prevented the attackers from gaining information which identified cardholders. The question on appeal was whether data controllers (in this case, DSG) are required to take ‘appropriate technical and organisational measures’ (ATOMs) to protect the personal data of individuals who can be identified by the data controller, but who could not then be identified by a third-party who unlawfully processes their data. The court ruled that where a controller processes personal data, the controller cannot use the fact that data is anonymous in the hands of a third-party accessing dating unlawfully to argue that the controller had no data security obligations and duties. This serves a clear message to UK businesses: if the data is personal from the perspective of the controller, then the security principle applies to the controller and businesses must secure data, even if stolen data appears anonymized or pseudonymized to attackers - data controllers must implement ATOMs for all data they hold that relates to an identifiable individual.
Background
- Between 2017 and 2018, DSG experienced a sustained cyber‑attack targeting point‑of‑sale systems across its retail network with attackers deploying malware to scrape transaction‑level card data. More than 5.6 million payment cards were affected with a small subset of records including full card details and cardholder names and the majority consisting only of the 16-digit payment card numbers and expiry dates - the attackers did not obtain directly identifying information about cardholders.
- The ICO found DSG to be in breach of its data security duty; this included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing – the ICO issued a fine of £ 500,000. The Information Commissioner at the time said the findings were "concerning" and related to "basic, commonplace security measures," that ultimately showed "a complete disregard" for customers' data.
- The First‑tier Tribunal (FtT) upheld the ICO’s finding that DSG breached the data security principle under the DPA 1998 stating that DSG had contravened the principle to take "appropriate technical and organisational measures...against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data", although it reduced the penalty by half to £250,000 signalling that the contravention was not as serious as the ICO had determined. DSG appealed.
- The Upper Tribunal (UT) set aside the FtT’s decision. The UT held that the data security principle under the DPA 1998 applies to only to “personal data”, but the data in question (being payment card numbers and expiry dates rather than names), did not constitute “personal data” from the attackers’ perspective because the attackers could not link that data to specific individuals and it was held therefore that DSG did not have any security obligations with respect to such data.
The decision and implications
The Court of Appeal found that the FtT had been correct in its assessment and overturned the UT’s ruling. The Court of Appeal held that the controller is required to comply with the data security principle under the DPA 1998 with respect to data that is “personal” from the perspective of the data controller regardless of whether the data might not be personal “in the hands of” or “from the perspective” of any other person. The key takeaway for UK businesses is that they must consider that all data relating to individuals—however incomplete—is subject to the ATOMs requirement and must ensure data security systems are robust in the face of increased scrutiny. "It is implicit in the reasoning of the UT, and in DSG's submissions, that such interventions are essentially harmless from the perspective of data subjects, so long as the malicious actor is not able to identify the people to whom the data relate, so that a duty to guard against them would be pointlessly burdensome," Lord Justice Warby ruled. “I do not accept that.”
The ICO General Counsel commented: “We welcome the CoA’s confirmation that organizations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognizes that even if hackers can’t identify people individually from stolen datasets, cyberattacks can and do still cause real harm… with the rising threat of cybercrime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organizations: you have a protective duty to safeguard the personal data you hold.”
There may yet be an appeal from DSG which would send the dispute back to the UT with the potential on continuation of the claim, for it to end up in the Supreme Court. We will monitor this case, along with other cases from the European Courts that address these complex issues in respect of personal data and security obligations.
