Shoosmiths LLP
  November 3, 2022 - Milton Keynes, England

Fail to prepare, prepare to fail – ICO’s latest warning shot to companies lacking in data protection compliance and suffering cyber attacks
  by Shoosmiths LLP

The UK data regulator the Information Commissioner’s Office (ICO) has issued a clear warning to organisations that the biggest cyber risk they face is not from hackers themselves but from complacency towards internal data protection compliance. Such companies may face a double whammy of a cyber-attack and subsequent enforcement action.

The ICO has fined Interserve Group (a UK based construction company) £4.4 million for breaching data protection law.

Its key finding was that Interserve failed to put appropriate data protection compliance and security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

What happened (a common phishy story) …

An Interserve employee forwarded a phishing email to a colleague who opened it and downloaded its content. Malware was successfully installed and compromised 283 systems and 16 accounts, leading to the personal data of more than a hundred thousand employees being accessed. This included contact details, National Insurance numbers and bank account details, as well as potentially sensitive “special category” data such as ethnic origin, religion, disabilities, sexual orientation and health information. The hacker then encrypted and rendered the personal data unavailable to the organisation.

ICOs critical analysis of the preparation for an attack

The ICO criticised the general data protection compliance in a number of ways. It viewed this as enabling a cyber-attack, both as a failure to keep personal information of staff secure and as a general failure to comply with obligations under the “integrity and confidentiality” and “security of processing” rules of the UK General Data Protection Regulation (GDPR).

Even though the original phishing email might have been said to involve an element of bad luck (as they often do) it was deemed to be the underlying failures which led to the disastrous loss of data control.

Compliance gaps

The penalty notice highlighted multiple failures to protect data, including:

Notably, the ICO acknowledged that the above failures, if considered in isolation, did not cause the breach or a serious contravention of data law. But the “cumulative failures materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack” and it was this cumulative effect that justified the imposition of a financial penalty.

The fine and penalty breakdown

The ICO helpfully included an instructive breakdown of the level of the fine. The ICO followed step two of its Regulatory Action Policy to censure the breach based on its scale and severity.

As a starting point, the ICO noted that the breach was a significant and multi-faceted contravention of the GDPR, which continued for a significant period of time.

For the general data protection compliance failings the ICO increased the fine by £1 million, which also took into account company size and the fact that some of the failings constituted basic security requirements which could have been rectified without significant cost. The ICO noted how Interserve had failed to consider publicly available guidance, and this could have alerted them to their failings.

Company financial constraints at the time of the incident held no weight with the regulator. Its transparency and cooperation with regulators earned it a £100,000 discount, and good work in remediating the breach saw the bill reduced by half a million pounds.

Fail to comply, prepare for tough action

In his new role, the UK Information Commissioner has put down a marker that his office will not take lightly to complacency.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.”

Organisations should be reminded that the regulator can impose a civil monetary penalty on a data controller of up to up to £17.5 million, or 4% of total global annual turnover, whichever is higher.

Hard lessons learnt

There are many simple but effective steps organisations can take to prevent breaches of GDPR and reduce the likelihood and effect of cyber-attacks:

It is vital for organisations to be on top of data protection and privacy compliance. Our legal experts can help you review your data compliance processes, understand guidance, deliver training, and assist you through dealings with the regulator. Remember: if you fail to prepare, you prepare to fail.




Read full article at: https://www.shoosmiths.co.uk/insights/legal-updates/fail-to-prepare-prepare-to-fail-icos-latest-warning-shot