Property businesses and Data Protection Compliance: estate agency fined £80,000 for failing to keep tenants’ data safe

The Information Commissioner’s Office (ICO) has just announced it is fining estate agency Life at Parliament View Ltd (LPVL) (trading as LiFE Residential) for leaving 18,610 customers’ personal data exposed online for almost two years.

This was the result of a serious security breach caused by an insecure data transfer to an (FTP) server which itself was left unsecured with no access restrictions (anyone online could access it).  The breach was left undetected from March 2015 – February 2017.  During the period of vulnerability the data involved was accessed over half a million times  by unauthorised persons when the integrity of the data was also compromised (as some modifications and alterations to it took place).   The exposed details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.  To make matters worse LPVL only alerted the ICO to the breach later on when it was contacted by a hacker.

During its investigation, the ICO uncovered a catalogue of security errors and found that LPVL had failed to take appropriate technical and organisational measures against the unlawful processing of personal data.   These shortcomings left its customers exposed to the potential risk of identity fraud.  The ICO concluded this was a serious contravention of the Data Protection Act 1998 (which has since been replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018).

Lessons to be learnt

Property businesses face the same need to comply with data protection laws as any other business.  This is particularly important for customer facing businesses such as sales, property management and lettings agencies who process large amounts of customer data.

The security errors in this case were basic ones – failure to use appropriate and secure methods to facilitate the transfer of personal data, failure to properly configure and apply access restrictions to the relevant IT server, failure to monitor and check the security of the server on an ongoing basis (e.g. via penetration testing), and failures to train staff, to have appropriate data retention policies in place and provide guidance to staff.  Indeed the ICO had alerted businesses to the risks involved in data transfers using FTP (as in this case) in Guidance issued in 2014 and had also taken action against other organizations for similar incidents.  The delay in reporting the breach, the longevity of the data concerned  – e.g. 10 years for passport data, LPVL’s lack of policies regarding data retention and LPVL’s failure to notify affected data subjects (who were therefore unable to take steps to protect themselves against identity and financial fraud) were all considered aggravating features in this case.  In mitigation LPVL had made significant investment in improving its systems and cyber security from 2016 and once it became aware of the issue it took immediate remedial action.

All businesses need to invest in appropriate IT security, train staff accordingly and test this on a regular basis.  Had LPVL done this in this case they would have spared themselves a fine, reputational damage and the risk of lawsuits (including on a class action basis) from individuals affected by the breach.  As the ICO noted their underlying objective in imposing a fine was to promote compliance with the law and “this is an opportunity to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal data.”

The ICO’s action here was under the Data Protection Act 1998 as the breach occurred whilst that Act (and not the GDPR) was in force.  Had the GDPR applied LPVL would have been in an even worse position.  First as soon as they discovered the breach they would have been obliged to notify both the ICO and the individuals concerned of the breach within very short mandatory time frames.  Second, the ICO has powers to levy much higher fines where it considers the gravity of the breach as well as other factors  justify this.  It might be argued that  LPVL were lucky they just got a £80,000 fine given what happened.   In any event they have a right to appeal should they wish to do so.  If they don’t appeal and pay promptly then the fine will be reduced to £64,000.