Search

How can we help?

Icon

ICO takes action for failure to protect personal data

This week the Information Commissioner’s Office (ICO) handed Interserve a £4.4 million fine for failing to put appropriate measures in place to prevent unauthorised access of private data. One of Interserve’s employees received a phishing email with an attachment which appeared as though it required urgent action. The email was forwarded, and its contents were downloaded which resulted in hackers accessing employee data. The ICO ruled that Interserve broke data protection law.

ICO Commissioner John Edwards stated that many businesses are not taking cyber security seriously enough. He warned, “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

When does a personal data breach occur?

A personal data breach will occur whenever any personal data is disclosed, corrupted, lost or even destroyed. It will also occur where someone accesses the data without proper authorisation to do so. Some of the most common examples of data breaches occur as a result of human error, such as sending the personal data to the wrong email address or losing electronic devices which contain personal data.

The personal data breach which occurred with Interserve comprised HR data, which included employees’ contact details, national insurance numbers, birth dates, marital status’, education, and other personal information. Access to information of this sensitivity poses a risk to individuals’ rights and freedoms. It opens up the possibility for identity theft and other dangerous outcomes.

Complying with data protection security laws

The ICO said complacency is the biggest cyber risk, not hackers.

Due to the potential sanctions under the UK GDPR and DPA 2018, organisations need to consider security breach management as an important part of their broader risk strategy. A comprehensive data breach management plan should be implemented and supported by appropriate policies and procedures to identify and respond to data breaches. These should cover governance, detection, escalation, communications, investigation, and recovery and mediation.

In Interserve’s case, when the phishing email’s content was downloaded, Interserve’s anti-virus quarantined the malware and sent an alert. However, Interserve failed to investigate this thoroughly, which could have revealed that the hacker had access to its systems. 283 systems and 16 accounts were compromised, including a privileged account, which is one that has access to highly sensitive data. The account was used to uninstall Interserve’s anti-virus solution to prevent detection of malware. The ICO found that there were multiple failures as Interserve was using outdated software systems and protocols, and there was a lack of suitable staff training and risk assessments.

How to comply

  • Regularly testing, assessing and evaluating the systems and procedures an organisation has in place to prevent data breaches. The UK GDPR concerns measures in their entirety. Therefore, the scope of an organisation’s testing should be appropriate to its own circumstances.
  • Choosing a data processor that provides sufficient guarantees about its security measures.
  • Building a culture of security awareness within an organisation is important. Training employees, especially those who have access to personal data, on how to identify security breaches and escalate them to appropriate individuals and teams.
  • Investigating any warning of suspicious activity.
  • Updating software and not using outdated systems.

The ICO said complacency is the biggest cyber risk, not hackers.

Risk mitigation

Pseudonymisation and encryption could be used to reduce the impact of a breach and are specified in the UK GDPR as examples of measures that may be appropriate to implement.

Lessons for organisations

With the advancement of technology hackers are developing creative ways to infiltrate systems and organisations need to catch up by updating their systems. Even though Interserve’s data breach was a result of a phishing email being opened, it should have had strong cyber security in place to then deal with the malware.

The ICO emphasised that it is never acceptable to leave the door open to cyber-attacks especially when dealing with people’s most sensitive data. This means that organisations that are struggling financially do not have an excuse for failing to update its systems.

What to do in the event of a breach

Responding to a breach, and in particular recovering from it, is itself a part of the continuum of measures which organisations are expected to follow. See our article on notifying the ICO of a personal data breach.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 29 October 2024
  • Privacy and Data Protection

The ICO’s 2024-2025 priorities for protecting children’s personal information online

The Information Commissioner Officer (the “ICO”) has set out its 2024-2025 priorities for protecting children’s personal information online.

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 29 August 2024
  • Privacy and Data Protection

What a controller or a processor needs to know…in a nutshell

Data processing agreements are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements.

Pub
  • 20 August 2024
  • Privacy and Data Protection

Data Protection unlocked for HR: How to ensure compliance?

In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards.

art
  • 14 August 2024
  • Privacy and Data Protection

Data protection audit – what you need to know

A data protection audit is the process of auditing all of your data protection processes and procedures to understand your current levels of compliance and identify any areas for improvement.