Fines escalate over unsolicited emails and data breaches

The Information Commissioner’s Office (ICO) has fined UK marketing firm Everything DM Ltd. £60,000 for sending well over a million marketing emails without sufficient consent. The emails were sent on behalf of clients and appeared to have come from the clients themselves, yet neither the clients nor Everything DM could prove that appropriate consents had been received.

This fine is dwarfed, however, by that applied to Equifax, based in Atlanta, which has found itself with a bill for £500,000 for a 2017 data breach affecting the records of 15 million British citizens and 146 million citizens globally. 

Equifax violated five out of eight data protection principles in Schedule 1 of the Data Protection Act 1988. The fine was the largest that the ICO can impose under that act, which was in effect at the time of the breach. The maximum fine was considered necessary for a breach of this scale, but could have been up to £17 million (or, if higher, 4% of global turnover) had the breach occurred after GDPR came into effect. The UK arm of the company was found to have taken insufficient care to ensure that data processed by its American parent was handled properly. The data included names, dates of birth, driving license numbers and telephone numbers.

Not surprisingly regulators worldwide, US enforcement agencies especially, have paid close attention to these cases. The Federal Trade Commissioner (FTC) has launched its own potentially lengthy Equifax investigation, but perhaps of even greater significance is that the ICO’s actions could spark further debate between the FTC and Congress. The FTC may well use the matter as leverage in its ongoing quest for civil penalty authority, although this case alone is unlikely to be sufficient to bring about change.

Those penalties that the FTC can impose already for data breach are enough to cause financial pain, and many state attorneys general have civil powers that the FTC lacks so can go further. What will be interesting now, firstly is to see whether a group of state AGs might act together on the Equifax case to impose a truly meaningful penalty, and secondly how it may impact on the way AGs use their civil penalty authority in such matters going forward.

It is clear that the US is still some way behind the EU in these matters, but there is a clear recognition of a need to catch up and this will happen.