Almost daily we are seeing cyber-attacks in the news. From nurseries to universities, to SMEs and, to corporate giants like Microsoft – cyber-attacks are an ever-present threat to organisations and their personal data. With an almost ingrained reliance on digital technology, data breaches can have a significant impact on organisations. This coupled with the shift to homeworking and the use of collaboration tools has exposed new vulnerabilities. Attackers are increasingly exploiting these changing circumstances. Consequently, there have been reported rises in phishing and ransomware attacks. Cyber-attacks can often target personal data which can result in data breaches and hefty fines from the ICO.
Recently the zero-day exploit cyber-attack on Microsoft Exchange and the attack on a major US information technology firm, SolarWinds, have made headlines. The public sector has also been significantly affected by cyber-attacks. Just last week the National Cyber Security Centre (NCSC), published an updated alert to warn education institutions of a rise in targeted ransomware attacks following a significant spike in cyber-breaches since late February this year.
Cyber-security and the UK GDPR
The UK GDPR requires organisations to process personal data securely. The UK GDPR’s ‘security principle’ means that personal data has to be protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
As part of this security principle organisations have to implement appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing of personal data is performed in accordance with the UK GDPR.
Cyber-attacks and the ICO
Where personal data has been compromised in a cyber-attack, data protection law requires controllers to notify the Information Commissioner’s Office (ICO) without undue delay and not later than within 72 hours after becoming aware of a personal data breach, if the incident is likely to result in a risk to the rights and freedoms of individuals. A cyber-attack that compromises personal data is likely to trigger a reportable breach. There could also be a separate obligation to notify the individuals affected.
Hefty fines
Aside from the potential reputational damage organisations can suffer as a result of a cyber-attack they can also face hefty fines.
Under the UK's data protection laws, maximum fines are up to the greater of £17.5m or 4% of annual global turnover. In October 2020, the ICO issued its biggest fine to date to British Airways with a £20m fine for failing to protect the personal and financial details of more than 400,000 of its customers when it was subject to a cyberattack.
What to do?
- Be prepared. Put in place a cyber-attack strategy that recognises your vulnerabilities and aligns with your IT security systems to defend against attacks. Test your strategy e.g. penetration testing and rehearse your response. As part of your strategy have an incident management team that includes the DPO, technical team, and senior leadership.
- Train staff and test their knowledge. Especially on phishing and social engineering. It is a good idea to regularly send mock phishing emails for example to assess the level of awareness across the staff base.
- Update systems. As and when appropriate, update security software, vulnerable software, remote access, or vulnerable legacy systems. Maintain appropriate records of the steps taken to assess and improve cyber resilience as this helps in the context of both regulatory enforcement action and litigation.
- Get your comms. right. It's important to have a comms strategy (both internal and external) when responding to cyber-attacks. This helps to maintain confidentiality and to assure competence in your dealing with an attack.
- Cyber insurance. Consider investing in cyber insurance.
If you would like to discuss this matter further please contact your DPO.
Emily Pepin is a Solicitor in Thorntons' specialist Intellectual Property, Technology and Media team. If you would like to discuss this matter further, call Emily on 0131 225 8705 or email epepin@thorntons-law.co.uk