COVID-19: Cyber security and resilience

Published 24 marzo 2020

In one of the most challenging weeks for businesses across the UK, the Information Commissioner’s Office published a statement recognising the unprecedented data and security related challenges we are all facing during the Coronavirus (COVID-19) pandemic. Data protection laws oblige organisations to ensure the confidentiality, integrity and availability of personal data and this is presenting a particular challenge for all organisations at this time.

In its statement, the ICO recognises that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work and states that it won’t penalise organisations that they recognise need to prioritise other areas or adapt their usual approach during this extraordinary period.

Confirming that data protection compliance is not a barrier to increased and different types of homeworking the ICO considers what kind of security measures an organisation should have in place for homeworking and confirms that you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

At DAC Beachcroft, we’ve been working with our clients to ensure that their data governance, security and breach response processes are still fit for purpose at this challenging time, when it is easy to slip into bad practices. For example, the following behaviours are often seen when people are facing challenges to get things done when away from the office:

• Sending confidential documents to personal email addresses when work systems fail or are not available;
• Taking documents home from the office and then keeping them with insufficient shredding or confidential waste disposal systems;
• It may be difficult to avoid family members or housemates inadvertently overhearing confidential telephone conversations.

It is important at this time to remind your employees of good information security practices and their obligations to report any security breaches to you promptly so that you can assess whether the breach is reportable to the ICO.

The ICO have confirmed that, even during these unprecedented times, they cannot extend statutory timescales, and therefore although we would expect some leniency from the ICO in practice, the obligation to notify the ICO of any breaches unless they do not result in any risk to the individuals concerned, within the 72 hour statutory timeframe.

Our Breach Response team has extensive experience of advising clients in relation to data breaches in a range of industry sectors including retail, professions, sports, hospitality, financial services, manufacturing, technology and telecoms. We have guided clients through a number of high profile and complex data breaches, frequently with an international dimension, and involving extortion, ransomware, wire transfer frauds, financial recoveries / Norwich pharmacal orders and PCI breaches.

The expertise of our team has been recognised through numerous industry awards and accolades, including most recently the Insurance Insider Cyber Law Firm of the Year.

For advice on any data breach related queries, please contact our 24/7 breach response service hotline on +44(0) 800 302 9215 or our Breach Response Team through our dedicated email address DataRisk@dacbeachcroft.com.