TK Maxx Data Theft - Views from the UK
By Stewart Room
In January this year, news broke of a massive credit- and payment- card data theft from TK Maxx (the UK division of TJ Maxx). TJX, the parent company, said that the theft occurred in May 2006, but it did not discover this until December 2006. In an updated announcement in February, it said the theft might have occurred in July 2005, but in papers filed with the U.S. Securities and Exchange Commission in March, it clarified that 45.6 million credit and debit card numbers were stolen over 18 months.
This article examines some of the data privacy law implications of the data theft from the UK perspective, identifying key elements of the Data Protection Act of 1998 that are relevant.
The Data Protection Act and the Processing of Personal Data
The Data Protection Act regulates the processing of "personal data," that is, information relating to identifiable living individuals. It is conventional to treat credit and payment card data as personal data and there is no doubt that the Data Protection Act applied to TK Maxx's processing within the UK. As such, TK Maxx was, and is obliged, to comply with the "data protection principles." In the context of this case, it is the seventh data protection principle that is immediately most relevant.
The Seventh Data Protection Principle
The seventh data protection principle is known as the security principle. It says that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." This obligation is expanded upon by the "interpretation" to the principles contained in Schedule 1, Part II of the Act:
"Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to:
(a) The harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) The nature of the data to be protected."
The interpretation causes the data controller to consider its security measures from a practical perspective as well as in the abstract. Regarding harm, it is also highly relevant that the clause reads "the harm that might result" as opposed to "the harm that might reasonably result," showing that the Data Protection Act requires a much greater degree of foresight than the domestic tort of negligence.
However, it is also possible to read the reference to cost as placing a limitation on the data controller's obligations, in the sense that the data controller is not required to go to unlimited cost to protect personal data. This might be the correct analysis of the interpretation, but in cases of data theft of the kind in question, the more likely scenario is that the data controller has failed to implement reasonable (i.e., generally accepted) technical security measures rather than those at the outer fringes of desirability. If TK Maxx ends up as a defendant in UK legal proceedings, the issue of its compliance with the seventh data protection principle will require expert evidence to resolve.
Reporting of Security Breaches
It is conventional wisdom that the Data Protection Act does not impose any reporting of security breach obligations on data controllers. However, this view is challengeable, particularly in light of the fact that the UK courts are obliged to give a purposive construction to human rights laws.
If there is an obligation to report security breaches implied under UK data protection law, its basis would be found in the Data Protection Act's transparency mechanisms. These mechanisms - which encompass notification, fair processing notices, processing to purpose, subject access and the Information Commissioner's "information notice" enforcement procedure - collectively may provide the authority for the existence of a reporting obligation in UK law with a utility similar to those existing in the U.S.
One measure is contained in section 20, which creates an obligation to keep notifications accurate and up to date: notification is the process by which information about a data controller's processing obligations is included on a publicly accessible register maintained by the Information Commissioner.
Section 18 of the act identifies the information that must be submitted with a notification, which includes "a general description of measures to be taken for the purpose of complying with the seventh data protection principle." Section 20(2)(b) makes it clear that this general description of security measures must be kept up to date, so that the "current" measures are notified to the Commissioner.
In TK Maxx's case, it is likely fair to assume that its current security measures are different to those in place at the time of the data thefts, which means that those changes must be notified. Furthermore - and depending on the circumstances - it might be very difficult for a controller in TK Maxx's position to provide a useful general description without referring to the thefts; sometimes in order for the fact of change to be appreciated, the general description will require reference to the background context.
A much more convincing case for the inclusion of a breach notification obligation can be made by reference to the requirement to supply fair processing notices. This obligation arises under the first data protection principle, which says that personal data must be processed "fairly and lawfully," as expanded by the interpretation in Schedule 1 Part II.
Paragraph 2(1) of the interpretation says that personal data is not to be treated as processed fairly unless the data controller ensures that the data subject has, is provided with, or has made readily available to them, the information identified in paragraph 2(3), which includes "any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair."
The argument for inclusion of a breach notification requirement is simple: Once the data controller has suffered a TK Maxx-style security breach, it cannot be fair to the data subject for the controller to continue processing without notifying them of it, because the basic parameters of the processing operation have changed. Furthermore, serious failures of security do influence data subjects' decisions about the continuance of business with controllers, particularly where the controller cannot guarantee that it has resolved all outstanding issues, or where there is doubt about the parameters of the breach. So, in the immediate aftermath of a security breach, it can be argued that the controller's processing operations are not the same as those communicated to the data subject prior to the start of processing. This also applies to circumstances in which the controller indicated the processing would start or led the data subject to believe that its security met the standards required by the seventh data protection principle. But after a security breach, the accuracy of the controller's original statement or representation is undermined, meaning that the processing operation has changed, going from purportedly secure to evidently insecure.
TJX already is facing massive class actions in the U.S. In April, the Massachusetts Bankers Association brought a class action lawsuit, related to the expense of reissuing payment cards. The Arkansas Carpenters Pension Fund also has sued for TJX's failure to divulge more details about the security breach.
In the UK, the Data Protection Act permits damages claims. Section 13 says that "an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this act is entitled to compensation from the data controller for that damage." In cases of damage, the individual also can recover compensation for distress.
The courts already have held that "damage" for the purposes of section 13 means pecuniary loss (see Johnson v. Medical Defence Union, Court of Appeal 28th March 2007 and Campbell v. Mirror Group Newspapers, High Court of Justice Queens Bench Division 27th March 2002). As a result, it will be
necessary for a claimant to show financial loss before any compensation claims can be launched in the UK. This hurdle to recovering compensation is a low one in the circumstances of this case, as any TK Maxx customer who seeks to put in place new banking facilities as a result of the security breach will incur pecuniary loss, even if it is merely the cost of a few telephone calls, stamps and envelopes.
This low threshold to a damages claim must be very worrying for TK Maxx, as it opens up the much wider claim for compensation for distress. In the Johnson case mentioned earlier, the trial judge held that a Â£10.50 financial loss claim (just over U.S. $20) triggered a Â£5,000 (about U.S. $10,000) compensation award for distress. Multiplied up it is obvious that TK Maxx faces a huge potential compensation claim, particularly if the UK legal profession mirrors its U.S. counterpart and brings forth a class action.