At our annual Data Protection and Cyber Conference on 10 November 2022, we delved into some of the ICO’s recent monetary penalty notices where fines had been applied to organisations who had suffered cyber-attacks.
The GDPR requires controllers and processors to ensure “appropriate” security is in place to protect personal data. Cyber security professionals and data protection practitioners alike have often struggled with what this means in practice. For example, will a particular password complexity or cyber security product ensure compliance with GDPR?
Unfortunately, not unsurprisingly, the ICO’s guidance does not provide a list of specific security measures that will achieve the “appropriate” threshold. Rather, the ICO focuses on “outcome” based guidance that sets a course for security but not the mechanics of how to get there. The ICO does not highlight particular standards such as PCI-DSS, ISO 27001, or NIST, but does say that all of these they can help on the journey to a secure outcome.
Therefore, for data protection and cyber security practitioners who want to understand what security measures the ICO considers an organisation should have in place, they should keep a close eye on monetary penalty notices that are published by the ICO. This will at least highlight specific measures and practices that were deemed inappropriate.
Two monetary penalty notices, in particular, are quite insightful in this regard:
In 2020, British Airways Plc (“British Airways”) received the highest fine that the ICO had handed out at the time. The decision notice identifies, in some detail, the attack chain and security failures that gave rise to the breach. In arriving at its conclusion that British Airways’ security arrangements were not appropriate, the ICO draws reference to contemporaneous guidance and standards that, if British Airways had applied such guidance and standards, this ought to have stopped the attack from occurring. Similarly, the Interserve Group Limited (“Interserve”) decision notice in 2022, followed a similar approach, but added the additional finding that Interserve had not followed its own internal security policies that it had in place.
There are a number of observations that we can make in relation to these monetary penalty notices.
The first is that whilst the ICO states that it will not operate with the benefit of hindsight when assessing the appropriateness of security measures, the ICO will look at all the available contemporaneous guidance at the time of the attack, as well as standards, alerts and the organisations own internal policies. It will do so in order to see whether, if they had been followed, the attack would not have occurred.
This approach does leave a controller or processor in the invidious position that it should follow all guidance, all of the time. Whereas the ICO needs simply to find a single occurrence of non-conformity in support of its decision notice. The ICO is in some ways like the attacker itself in that the defender must be successful all of the time whereas an attacker need only be successful once.
The reference in the Interserve monetary penalty notice to internal policies is particularly noteworthy. It may have been in the past that organisations might have satisfied themselves that as long as they had a policy, as it would show willingness towards compliance. That is no longer the case. If the Interserve case is anything to go by, the ICO will check whether an organisation has adhered to the policy and if not, it will say that the organisation ought to have checked for compliance. Therefore, organisations should have a policy in place to check adherence to its own policies. This could take the form of either internal or external audit.
Secondly, the argument that an organisation did not have the financial means to secure itself is not a “get out of jail free card”. In the Interserve case, the ICO wanted to see an actual assessment of cost expenditure and why decisions had not been made by the organisations’ leaders when choosing not to spend on certain security requirements. The ICO also noted that some security provisions would come at no cost.
Finally, the context of the Interserve fine is revealing. The actual attack is very similar to the hundreds of ransomware attacks that our team has responded to. There have been over 3,000 ransomware attacks reported to the ICO in the last two years, and over 250 ransomware cases were reported to the ICO in the same quarter when Interserve reported its breach to the ICO. Why then was Interserve singled out for investigation and the subsequent £4.4m fine? The answer may lie in the fact that Interserve was already on the ICO’s radar for previous misdemeanours. A similar issue may also have faced British Airways who, had they not had a very large publicity impact around the time of their breach, may have fallen below the ICO’s radar.
So arguably there is an element of luck, timing and history when it comes to whether the ICO considers an organisations’ security is appropriate. If that is true, then if your organisation suffers a data breach, ensure you avoid any publicity, ensure that your early dealings with the ICO do not raise your head above the parapet, and ideally don’t have an existing poor track record with the ICO.
As always, the best defence to avoiding an ICO fine, is not to get yourself into the position where you might face one.