Blackbaud was given a private slap on the wrist by the UK’s Information Commissioner’s Office (ICO) after paying off criminals who stole users’ financial data from the cloud CRM biz’s servers.
The astonishingly mild sanction was revealed in a Freedom-of-Information response after senior data protection specialist Jon Baines at London law firm Mishcon de Reya asked about reprimands made under the General Data Protection Regulation (GDPR).
Reprimands are a formal expression of the ICO’s disapproval, issued to organisations that have broken data protection law.
Blackbaud was one of 42 organisations given reprimands since GDPR came into force in 2018. While most of those were in the public sector, it included supermarket chains Asda and Morrisons, healthcare provider BUPA, and since-shuttered voice chat app Houseparty.
West Midlands Police was slapped on the wrist twice in three years for unspecified data protection failures. The Home Office clocked up two finger-wagging sessions during a six-month period in 2019 – while budget airline Easyjet received a telling-off in November 2019.
Six months later, “following discussions with the ICO,” the orange skyfarers confessed that nine million customers’ travel details and email addresses had been stolen by black-hat hackers. A law firm filed suit against Easyjet shortly afterwards, claiming an implausible £18bn in damages.
Other reprimands were issued to local councils, Oxford University, NHS health boards, schools – and Zoom, the videoconferencing app company. There appeared to be no small and medium-sized enterprises that were handed reprimands. The names of five organisations were withheld, potentially because they were under appeal.
An ICO spokeswoman told The Register: “The ICO’s aim is to protect people from poor organisational practices that put their personal information at risk. We have a range of powers to help us do that, including issuing reprimands and warnings to ensure the right policies and practices are in place. If we find that organisations have not made changes as set out in reprimands, or if any further incidents or complaints are reported to us, we can consider further regulatory action.”
Reprimands are issued under article 58(2)(b) of UK GDPR, or alternatively under clause 2(b) of Schedule 13 of the Data Protection Act 2018, itself a creation of the GDPR. They are handed down where the ICO believes a data processor has broken the law.
Strangely, reprimands are not made public by the ICO even though it publicizes fines it issues. Mishcon de Reya’s Baines pointed The Register to the ICO’s enforcement communications policy [PDF], which says about reprimands: “We will publicise these if it will help promote good practice or deter non-compliance.”
It appears this policy allows the ICO to issue slaps on the wrist in private mainly to public-sector organisations and big business. Meanwhile, SMEs’ data protection law infringements earn them well-publicized fines and directorial disqualifications in some cases.
Blackbaud itself revealed the existence of its reprimand in a 10-K filing [PDF] with America’s SEC, although it did not say it had been administered in private. It stated in the filing: “The ICO did not impose a penalty related to the security incident, nor did it impose any requirements for further action by us.”
Some large data lawbreakers are fined by the ICO, we note: these include Ticketmaster, British Airways, and hotel chain Marriott.
ICO fine enforcement slowed last year, as its latest figures showed. ®