On the face of it, the latest fine by the ICO reads as an all-too-common tale of poor Cyber Security.
But all organisations should draw important lessons from the £4.4m fine.
1) Never forget Human Resources
Every organisation processes the personal data of their employees.
This includes data commonly used to facilitate identity and financial fraud – such as home addresses, bank account details, pay slips and national insurance numbers – as well as salary details which can be used to enable social and financial profiling.
It will frequently include Special Category Personal Data such as on health. Such data is particularly sensitive to a person's fundamental rights and freedoms. You can’t ask someone to “get new health data” once it is compromise, as you can with a new credit card or password: some data is core to who we are. It’s call special for a reason.
In this case, the nature of the HR data coupled with the volume of such data led to the ICO to conclude the gravity of the breach as a “significant contravention of the GDPR.” (para 100).
|
Lesson #1
|
Employees trust their employer to handle their personal and often highly sensitive data. Do not overlook how human resource, line managers, external providers (e.g for payroll, pensions, DBS checks, occupational health) handle personal data.
|
|
Key questions
|
1. Is all employee data accessible only to those staff who have a "need to know" it?
2. Is employee data shared with appropriate security - both internally, and with external providers?
|
2) If you have policies, follow them! (Or assess the risk of not following them)
First base is agreeing a set of policies, procedures and logs that cover all aspects of data protection. Next, make sure they are fit for purpose – i.e. that they reflect how your organisation operates; the nature and scope of data you handle and the expectations of all stakeholders.
Interserve had several policies and standards in place. But when it came to the key issues that led to the breach their actions were contrary to their own policies.
"While Interserve had adopted policies and standards directed at security, these were not effectively implemented or adhered to." (Emphasis added) (para 98)
This is a difficult position to defend: you knew of the risks, had agreed policies and how to monitor them... but then didn't follow through.
The ICO even recognised that events - such as Covid - can require changes to policies. The GDPR enables such flexibility. The ICO noted that you can do risk assessments to "identify the risks involved in not complying and/or modifying... policies." (para 102).
The key is being accountable for your decisions. Sadly, Interserve did not do this either.
|
Lesson #2
|
Policies are not worth much if the right staff have not implemented them and all staff have not read and understood them.
|
|
Key questions
|
1. Can you evidence that staff have read your policies?
2. Do you manage data protection risk at an operational level so that decisions to amend policies (even temporarily) are assessed and documented.
|
3) Has everyone done their training?
It took just two staff in the accounts team to trigger the breach. One to receive and forward on the phishing email. And one to open it and ultimately install malware onto their workstation.
While the ICO acknowledged that the employee who opened the phishing email had received appropriate training, he noted that
“…the employee who forwarded the phishing email had not received such training. This deficiency exposed Interserve to risks of the kind giving rise to the Incident.” (emphasis added) (para 70)
The ICO also noted industry best practice that organisations should ensure all individuals are appropriately trained how to fulfil their responsibilities
|
Lesson #3
|
A lack of appropriate training could mean your management of personal data is deficient. Everyone handling personal data should receive some form of training.
|
|
Key questions
|
1. Can you evidence who has received training?
2. Could you explain why certain roles received the training they did?
3. Do you provide training at induction and annually?
|
4) Know your full risk profile – especially in relation to home working
The ICO accepted that each of the contraventions in isolation
“…are not necessarily causative of the incident nor a serious contravention” that would justify a fine, “…however the cumulative failures materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack, and taken together do constitute a serious contravention…” (emphasis added) (para 85)
The ICO also highlighted that, in normal circumstances, the phishing link would have been blocked by Interserve’s Internet Filtering “but was not blocked by the employee’s own arrangements” because they were working at home.
|
Lesson #4
|
It is essential to establish and run an efficient means of assessing current and emerging risks across all aspects of data protection and across the entire organisation.
|
|
Key questions
|
1. How can staff raise data protection risks and issues? Who do they raise them with? Have they sufficient resources to make an assessment and respond accordingly?
2. Are significant strategic and operational changes – such as a move to home working – subject to Data Protection Impact Assessments in a timely manner?
|
(5) Budgets are always tight – but do you want to be called negligent?
Like everyone, data protection and information security have to justify their budgets and spend. This can be difficult when up against departments and activities that can more easily point to a clear Return on Investment and/or how they will directly contribute to an organisation’s strategic goals.
However, in this case, the ICO was:
“not persuaded that the gravity of the contravention is materially reduced by Interserve's financial constraints at the time of the Incident” (emphasis added) (para 102).
Why? Because some of the issues could have been avoided at no or low cost. And because the additional measures
“taken following the Incident, would have entailed significant costs, but those costs were proportionate to the scale and nature of the personal data Interserve was processing” (emphasis added) (para 102).
Why? Because if they had assessed the “nature, scope, context and purpose” of the data they were processing (i.e. HR data for 113,000 staff across a number of different businesses) they should have concluded that they needed to invest more in data protection and information security measures.
In essence, the ICO is say that Interserve should have found the money.
“Interserve's size, and particularly the size of its workforce and the volume and nature of personal data it processed about that workforce, meant that higher standards of security are expected of it than would be expected of a much smaller organisation.” (emphasis added) (para 111e).
|
Lesson #5
|
You may have to incur unplanned costs under the full glare of the regulator and stakeholders following a breach, as well as a possible drop in income from a loss of business. Instead, you could assess the “nature, scope, context and purpose” of processing to inform your decision making with regards budget and resource for managing data protection risk.
|
|
Key questions
|
1. Do you assess the full cost of non-compliance when seeking budget for managing data protection and information security risk?
2. Do senior management consider the reputational, commercial, and operational risk of being ladled as “negligent” by the ICO.
|
