Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 30, the U.K. Information Commissioner’s Office (ICO) announced an agreement reached between the ICO and a social media company that resolves an investigation into the company’s alleged misuse of personal data. The company has agreed to withdraw its appeal of the £500,000 penalty issued last year under section 55A of the Data Protection Act 1998 (DPA) and settle the case without an admission of guilt. The investigation stems from a data incident affecting upwards of 87 million users worldwide that included the processing of personal data about U.K. users in the context of a U.K. establishment. According to the ICO, the company violated principles of the DPA by (i) unfairly processing personal data; and (ii) failing “to take appropriate technical and organi[z]ational measures against unauthori[z]ed or unlawful processing of personal data.” The ICO published a statement by the company’s associate general counsel in which he noted that the company has “made major changes” to its platform that significantly restricts the information accessible to app developers, and that “[p]rotecting people’s information and privacy is a top priority for [the company].”
On July 19, the United Kingdom’s Information Commissioner’s Office (ICO) issued a £80,000 fine against a London-based real estate management company for allegedly leaving over 18,000 customers’ personal data exposed for almost two years. According to the ICO, when the company transferred personal data from its server to a partner organization, the company failed to switch off an “anonymous authentication” function, which exposed all the data—including personal data such as bank statements, salary details, copies of passports, dates of birth, and addresses—stored between March 2015 and February 2017. The ICO alleges that the company failed to take appropriate technical and organizational measures to protect customers’ personal data and concluded the failures were “a serious contravention of the 1998 data protection laws which have since been replaced by the [General Data Protection Regulation] GDPR and the Data Protection Act 2018.”
On July 8 and 9, the United Kingdom’s Information Commissioner’s Office (ICO) issued two notices of its intention to fine companies for infringements of the General Data Protection Regulation (GDPR). On July 8, the ICO announced it intended to fine a U.K.-based airline £183.39M for a September 2018 cyber incident, which, due to “poor security arrangements,” allowed attackers to divert user traffic on the airline’s website to a fraudulent site, making consumer details accessible. The airline notified the ICO about the incident, which compromised the data of approximately 500,000 consumers, and has cooperated with the ICO in the investigation and made improvements to its security arrangements. Additionally, on July 9, the ICO announced it intended to fine a multinational hotel chain £99,200,396 for failing to undertake sufficient due diligence when the chain purchased a hotel group in 2016, which had previously exposed 339 million guest records globally in 2014. The exposure was discovered in 2018, and the hotel chain thereafter reported the incident to the ICO, and has cooperated with the investigation and made improvements to its security arrangements. In both announcements, the ICO notes that it will, “consider carefully the representations made by the company and the other concerned data protection authorities” before issuing the final decision.
- Jonice Gray Tucker to moderate “Pandemic relief response and lasting impacts on access, credit, banking, and equality” at the American Bar Association Business Law Section Spring Meeting
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference