Managing cyber risk: Interserve's £4.4 million data breach penalty

What happened in this case?

One employee opened a phishing email forwarded by another and downloaded the content. This resulted in installation of malware. The email had not been quarantined or blocked by the company’s system.

While the anti-virus solution quarantined the malware and sent an alert, the Information Commissioner’s Office (ICO) found that the company failed to follow up and thoroughly investigate the suspicious activity. The cyber attacker still in fact had access to the company’s systems, subsequently compromising 283 systems and 16 accounts. They also uninstalled the anti-virus solution. The personal data of up to 113,000 current and former employees was encrypted and made unavailable.

The ICO found that the company was using outdated software systems and protocols and had a lack of adequate staff training and insufficient risk assessments. This left them vulnerable to a cyber attack.

The company had failed to put in place appropriate technical and organisational measures to prevent the unauthorised access of people’s information, in breach of data protection law. It was fined accordingly.

Commenting on the penalty, the Information Commissioner stressed that “the biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company”. Companies that don’t regularly monitor for suspicious activity and fail to act on warnings, or don’t update software and fail to provide staff training, were warned to expect similar fines.

Managing cyber risk: Your obligations and practical steps

Effectively managing cyber risk has never been more crucial.

In a speech in June 2022, the head of the National Cyber Security Centre (NCSC) said that ransomware remains the biggest global cyber threat most organisations must manage; and in a recent speech on the cyber dimension of the Russia-Ukraine conflict, UK organisations – and their network defenders – were warned to prepare for this period of elevated alert to be here for the long haul, with the focus on building long-term resilience.

So what are your obligations?

It’s a UK GDPR requirement that personal data is processed in a way which ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This is called the ‘security principle’.

The ICO’s guidance on security can be found here. The following key and practical points arise:

• You must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised – information security includes physical and organisational measures, not just ‘traditional’ cybersecurity.

• Individuals are entitled to be protected not only from serious types of harm such as identity fraud, but from less serious types of harm such as inconvenience and embarrassment.

• Information security can support good data governance and help you to demonstrate compliance with other aspects of the UK GDPR.

• The UK GDPR does not define the security measures you should have in place. When deciding what measures to implement, you can take account of the state of the art and costs of implementation, but the measures must be appropriate to your circumstances and the risks posed by your data processing. The ICO and NCSC have developed a set of security outcomes you can use to determine the measures appropriate for your circumstances.

• As there is no ‘one size fits all’ approach, you should carry out a risk analysis to decide what measures will be appropriate, and document your findings. Take into account factors such as: the nature and extent of your premises and computer systems; the number of staff and the extent they can access personal data; and any personal data held or used by a data processor acting on your behalf.

• The risk analysis should take into account the requirements for restoring availability and access to personal data in a ‘timely manner’.

• Ensuring confidentiality, integrity and availability of personal data is key. Information security measures should seek to guarantee all three of these elements for systems and the data they process.

• You must be able to ensure the resilience of your processing systems and services. Think, for example, about business continuity and disaster recovery plans.

• Pseudonymisation and encryption are examples of measures that may be appropriate. Again, it will depend on the nature, scope, context and purposes of your processing, and the risks it poses to individuals. The ICO considers encryption to be an appropriate technical measure given its widespread availability and relatively low implementation cost. Click here to view the ICO’s detailed encryption guidance.

• Physical measures: Think about factors such as the quality of doors and locks and how your premises are protected. How do you control and supervise access? How do you dispose of hard copy and electronic waste? How do you keep IT equipment, including mobile devices, secure?

• Organisational measures: Aim to build a culture of security awareness. Identify someone with day-to-day responsibility for information security and make sure they have the appropriate resources and authority to do their job effectively. Consider putting a formal policy in place to demonstrate how you are taking steps to comply. Think about issues such as coordination between key individuals, business continuity, and access to premises or equipment given to third parties. Carry out periodic checks to make sure your security measures are up to date and still appropriate.

• Cybersecurity: Think about system security, data security, online security and device security. Meeting the requirements of the government’s Cyber Essentials Scheme is a good start, but you may need to go further depending on your processing activities.

• Controllers must put certain measures in place when a data processor is involved. This includes in relation to contractual arrangements.

• The ICO will consider the extent to which any sector-specific security requirements have been met.

• The UK GDPR requires you to undertake regular testing, assessment and evaluation of the effectiveness of your security measures. The results should be documented and any recommendations acted on and safeguards implemented.

• It’s a UK GDPR requirement to make sure that staff don’t process any personal data unless instructed to do so. You should provide appropriate initial and refresher training.

• Remember that where a personal data breach has occurred, and a risk to people’s rights and freedoms is likely, you must report the breach to the ICO within 72 hours of becoming aware of it.

• The ICO’s security guidance contains a section on ransomware and data protection compliance and passwords in online services. There are also links to a range of NCSC and other resources and guidance.

A note on parent companies and managing cyber risk

It’s useful to note what the ICO had to say in the monetary penalty notice itself about Interserve’s role as the parent company. While the cyber attack and the deficiencies identified in the notice affected numerous companies within the Interserve group of companies, the Information Commissioner was satisfied that Interserve was the controller with primary responsibility.

Interserve was the parent company for the group and was responsible for adopting, monitoring and ensuring compliance with the relevant policies relating to data protection and information security. It was responsible for the security of the IT infrastructure on which the majority of Interserve subsidiaries stored their personal data. The company employed the Chief Information Officer and the majority of individuals comprising the Group IT and Group Information Security Teams, and its submissions appeared to accept that it was the controller bearing responsibility for the relevant data security issues.

Parent companies will need to be able to clearly evidence where the responsibilities for ensuring data protection compliance and managing cyber risk lie within the group.

Managing cyber risk: How we can help

Our Regulatory & Compliance experts have a great deal of experience advising businesses on data protection compliance. Together with our Technology & Digital colleagues, we can provide assistance on all aspects of managing cyber risk. Please contact Andrew, who will be very happy to help.