QSA Inbox – Ticketmasters fine from the ICO
I love it when both of my professional worlds come together. It should happen more often than it does, but to date it is a rarity. That’s possibly because the PCI DSS work is managed by a totally different team with different skills than the data protection compliance management work.
However, the Ticketmaster monetary penalty notice (MPN) in the sum of £1.25 million issued by the Information Commissioner (ICO) cites the PCIDSS on several occasions which is something we have rarely seen until the last few weeks. In fact the ICO states that, “Ticketmaster failed to discharge its obligations under the PCIDSS”, and is seen therefore as failing to implement appropriate technical controls.
As both a QSA and privacy practitioner, I read the MPN with great interest. One of the very interesting points was the reference to the GDPR Article 32 which requires organisations to implement controls taking into account, amongst other things the “state of the art”.
That’s always been an interesting turn of phrase in the law and the MPN expressed the view that “state of the art” includes knowledge. In essence Ticketmaster ought to have known that JavaScrips implemented into web pages have been known as risky at least since 2014.
QSA’s are probably slapping their heads and uttering “dur…” whilst privacy practitioners might be wondering how they should have known that.
Phillip Brining – Director & QSA – Data Protection People