Fail to prepare, prepare to fail – ICO’s latest warning shot to companies lacking in data protection compliance and suffering cyber attacks
by Shoosmiths LLP
The UK data regulator the Information Commissioner’s Office (ICO) has issued a clear warning to organisations that the biggest cyber risk they face is not from hackers themselves but from complacency towards internal data protection compliance. Such companies may face a double whammy of a cyber-attack and subsequent enforcement action.
The ICO has fined Interserve Group (a UK based construction company) £4.4 million for breaching data protection law.
Its key finding was that Interserve failed to put appropriate data protection compliance and security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
What happened (a common phishy story) …
An Interserve employee forwarded a phishing email to a colleague who opened it and downloaded its content. Malware was successfully installed and compromised 283 systems and 16 accounts, leading to the personal data of more than a hundred thousand employees being accessed. This included contact details, National Insurance numbers and bank account details, as well as potentially sensitive “special category” data such as ethnic origin, religion, disabilities, sexual orientation and health information. The hacker then encrypted and rendered the personal data unavailable to the organisation.
ICOs critical analysis of the preparation for an attack
The ICO criticised the general data protection compliance in a number of ways. It viewed this as enabling a cyber-attack, both as a failure to keep personal information of staff secure and as a general failure to comply with obligations under the “integrity and confidentiality” and “security of processing” rules of the UK General Data Protection Regulation (GDPR).
Even though the original phishing email might have been said to involve an element of bad luck (as they often do) it was deemed to be the underlying failures which led to the disastrous loss of data control.
Compliance gaps
The penalty notice highlighted multiple failures to protect data, including:
- a failure to implement its policies and standards effectively
- IT failures such as a failure to follow up a suspicious activity alert, unsupported operating systems with no security updates, no end-point protection, firewalls not being enabled and no evidence of penetration testing for over two years
- inadequate information security and data protection training for employees
- insufficient risk assessments
- a failure to conduct an effective and timely investigation into the cause of the initial attack
- too many people with privileged account access, so access to personal data was too widespread.
Notably, the ICO acknowledged that the above failures, if considered in isolation, did not cause the breach or a serious contravention of data law. But the “cumulative failures materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack” and it was this cumulative effect that justified the imposition of a financial penalty.
The fine and penalty breakdown
The ICO helpfully included an instructive breakdown of the level of the fine. The ICO followed step two of its Regulatory Action Policy to censure the breach based on its scale and severity.
As a starting point, the ICO noted that the breach was a significant and multi-faceted contravention of the GDPR, which continued for a significant period of time.
For the general data protection compliance failings the ICO increased the fine by £1 million, which also took into account company size and the fact that some of the failings constituted basic security requirements which could have been rectified without significant cost. The ICO noted how Interserve had failed to consider publicly available guidance, and this could have alerted them to their failings.
Company financial constraints at the time of the incident held no weight with the regulator. Its transparency and cooperation with regulators earned it a £100,000 discount, and good work in remediating the breach saw the bill reduced by half a million pounds.
Fail to comply, prepare for tough action
In his new role, the UK Information Commissioner has put down a marker that his office will not take lightly to complacency.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.”
Organisations should be reminded that the regulator can impose a civil monetary penalty on a data controller of up to up to £17.5 million, or 4% of total global annual turnover, whichever is higher.
Hard lessons learnt
There are many simple but effective steps organisations can take to prevent breaches of GDPR and reduce the likelihood and effect of cyber-attacks:
- Robust compliance means not just having a plan or even paper policies in place but proper implementation including effective training on them
- Proper observance of data protection principles such as data minimisation
- Appropriate data retention and deletion schedules properly working
- Regularly monitoring for suspicious activity and investigating any initial warnings
- Keeping software and operating systems up to date
- Commonplace procedures like anti-virus software, regular pen testing and proper back ups
- Encouraging secure passwords and using multi-factor authentication
It is vital for organisations to be on top of data protection and privacy compliance. Our legal experts can help you review your data compliance processes, understand guidance, deliver training, and assist you through dealings with the regulator. Remember: if you fail to prepare, you prepare to fail.