Cyber Security Trends: Tips from recent UK enforcement activity – Part 2

Kate Brimsted
BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

In this part of our briefing series, we cover how prior regulatory enforcement action affects the assessment of sanctions and some pitfalls associated with undertaking internal security audits. 

Who is this relevant for?

For our Cyber Security Trends we reviewed recent findings to provide easy to use tips.  Cyber incidents are sector and geography agnostic.  These briefings draw on UK adjudications but are relevant for a GDPR-focus outside the UK and highlight cyber security trends more generally. 

TIP: Prior enforcement and unaddressed problems can increase the sanction risk from a later breach

Any prior enforcement action or past shortcomings identified by the regulator and not addressed ahead of a cyber incident will be aggravating factors when it comes to the chance and size of a fine.  This is not surprising and is specified in the GDPR.  Organisations should prioritise known issues, focussing on those likely to pose the greatest potential security risk.

TIP: Your own  security audits may work against you

We are seeing the ICO scrutinising then relying on adverse findings from a company’s own security assessments.  This can also extend to third party, e.g. customer audits conducted and any connected to third party standards, such as PCI-DSS (where the organisation has little choice or control over the process). 

With this in mind, organisations may wish to consider how they engage in future information security and cyber audits and, in particular, whether they can take place under the protection of legal privilege (confidentiality alone is unlikely to be a sufficient bar from producing a report to the ICO, if requested). 

What sanctions apply?

In the UK the ICO can fine up to 4% of annual global turnover or £17,000,000 whichever is higher. There are related powers to compel actions to be taken, information to be provided and to conduct on site assessments and interviews.    

Brexit Postscript

Once the UK has finally left the EU at the end of 2020, organisations impacted by cyber security breaches face an increased risk of multiple fines and enforcement actions for the same incident.  This is because the UK ICO will no longer participate in the GDPR cooperative “one stop shop” mechanism alongside its European counterparts. 

As the UK’s ICO is the one of the largest and best-resourced data protection authorities in Europe, with a proven track record of enforcement, companies with pan-European operations cannot afford to take their eye off the UK.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide