|Breach of act
|Breach of the seventh principle in that insufficient technical and organisational measures were taken. The ICO highlighted:
- Developer training
- Security testing of web pages
- Use of default passwords
- Encryption/Decryption key management
|Known or should have known
|The Data Controller was aware of The Payment Card Industry (PCI) Data Security Standard (DSS) and therefore should have been aware of the risks and the recommended controls.Given the nature of the information stored, it should have also been obvious to the Controller that a breach in security would be liable to cause damage or distress to the data subjects.
|Likely to cause damage or distress
|The ICO argues that the loss of payment card data could lead to fraud and substantial damage to the data subjects affected (even though there was no evidence of this). The knowledge of the loss of their personal data would cause ‘substantial distress’ to a data subject.