Key to recent ICO decisions has been the ICO’s assessment of the extent and quality of communications with affected individuals and the regulator itself. It is clear the ICO sees certain behaviours (such as the setting up of call centres after a significant data breach) as minimum requirements in many cases involving well-resourced companies. It is an open question whether there is an onus on affected businesses to go further in demonstrating the rigor and effectiveness of their response to a data breach, and if so, what form this should take.
Who is this relevant for?
For our Cyber Security Trends we reviewed recent findings to provide easy to use tips. Cyber incidents are sector and geography agnostic. These briefings draw on UK adjudications but are relevant for a GDPR-focus outside the UK and highlight cyber security trends more generally.
TIP: Informing individuals – don’t expect much credit for achieving the industry standard
If the personal data breach is of a kind which triggers a requirement to inform affected individuals (likely to result in a high risk to their rights and freedoms), then notification on an individual basis is mandatory, e.g. email, possibly supplemented by advertising. In addition, setting up a call centre and offering credit monitoring services, where financial data are at risk, as well as liaising with financial institutions like acquiring banks, are all par for the course. In one decision, the ICO noted with disapproval that, while an organisation offered credit monitoring services, it had failed to communicate this effectively so that only a very small number of affected customers took this up.
TIP: It matters who and how a breach is discovered – control over the messaging will become increasingly challenging and critical
The ICO would usually expect the organisation itself to be the first to know about a breach. If it occurs on your own systems and network, early detection and response is part of good cyber practices. Similarly, the GDPR explicitly links the risk and size of fine with “the manner in which the infringement became known to the regulator”. There have been cases where the regulator has been informed by other regulators conducting their own investigation of a company, members of the public, the press and security researchers. These have not been positive for the organisation when the ICO came to determining the appropriate sanction.
Organisations would do well to consider how they can best place themselves in the position where they know early about a cyber incident (or potential incident) and have appropriate control over the notification of the data protection regulator, other regulators, law enforcement, insurers, third parties, individuals, etc. Typically the Incident Management Response Policy will cover this. This area will become more complex over time with rising numbers of cyber incidents, the development of representative or “class” data breach actions in the UK and the greater interconnectedness of the ecosystem, not least resulting from 5G adoption.
What sanctions apply?
In the UK the ICO can fine up to 4% of annual global turnover or £17,000,000 whichever is higher. There are related powers to compel actions to be taken, information to be provided and to conduct on site assessments and interviews.
Brexit Postscript
Once the UK has finally left the EU at the end of 2020, organisations impacted by cyber security breaches face an increased risk of multiple fines and enforcement actions for the same incident. This is because the UK ICO will no longer participate in the GDPR cooperative “one stop shop” mechanism alongside its European counterparts.
As the UK’s ICO is the one of the largest and best-resourced data protection authorities in Europe, with a proven track record of enforcement, companies with pan-European operations cannot afford to take their eye off the UK.
[View source.]
