4th January 2023
Construction company Interserve recently received a £4.4 million fine from the regulator for failing to keep its staff’s personal information secure, in breach of data protection law. Walker Morris Regulatory & Compliance Partner Andrew Northage highlights the importance for all businesses of managing cyber risk and offers practical advice.
One employee opened a phishing email forwarded by another and downloaded the content. This resulted in installation of malware. The email had not been quarantined or blocked by the company’s system.
While the anti-virus solution quarantined the malware and sent an alert, the Information Commissioner’s Office (ICO) found that the company failed to follow up and thoroughly investigate the suspicious activity. The cyber attacker still in fact had access to the company’s systems, subsequently compromising 283 systems and 16 accounts. They also uninstalled the anti-virus solution. The personal data of up to 113,000 current and former employees was encrypted and made unavailable.
The ICO found that the company was using outdated software systems and protocols and had a lack of adequate staff training and insufficient risk assessments. This left them vulnerable to a cyber attack.
The company had failed to put in place appropriate technical and organisational measures to prevent the unauthorised access of people’s information, in breach of data protection law. It was fined accordingly.
Commenting on the penalty, the Information Commissioner stressed that “the biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company”. Companies that don’t regularly monitor for suspicious activity and fail to act on warnings, or don’t update software and fail to provide staff training, were warned to expect similar fines.
Effectively managing cyber risk has never been more crucial.
In a speech in June 2022, the head of the National Cyber Security Centre (NCSC) said that ransomware remains the biggest global cyber threat most organisations must manage; and in a recent speech on the cyber dimension of the Russia-Ukraine conflict, UK organisations – and their network defenders – were warned to prepare for this period of elevated alert to be here for the long haul, with the focus on building long-term resilience.
So what are your obligations?
It’s a UK GDPR requirement that personal data is processed in a way which ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This is called the ‘security principle’.
The ICO’s guidance on security can be found here. The following key and practical points arise:
It’s useful to note what the ICO had to say in the monetary penalty notice itself about Interserve’s role as the parent company. While the cyber attack and the deficiencies identified in the notice affected numerous companies within the Interserve group of companies, the Information Commissioner was satisfied that Interserve was the controller with primary responsibility.
Interserve was the parent company for the group and was responsible for adopting, monitoring and ensuring compliance with the relevant policies relating to data protection and information security. It was responsible for the security of the IT infrastructure on which the majority of Interserve subsidiaries stored their personal data. The company employed the Chief Information Officer and the majority of individuals comprising the Group IT and Group Information Security Teams, and its submissions appeared to accept that it was the controller bearing responsibility for the relevant data security issues.
Parent companies will need to be able to clearly evidence where the responsibilities for ensuring data protection compliance and managing cyber risk lie within the group.
Our Regulatory & Compliance experts have a great deal of experience advising businesses on data protection compliance. Together with our Technology & Digital colleagues, we can provide assistance on all aspects of managing cyber risk. Please contact Andrew, who will be very happy to help.