The introduction of the GDPR threatened big fines for data breaches, but last week is the first time we’ve seen them in action. And the ICO means business. After announcing its intention to fine British Airways £183 million for a cyber-breach, the ICO proposed a £100 million fine for Marriott over its Starwood data breach.
Speaking in the Financial Times last week, Simon McDougall, Executive Director for Technology Policy and Innovation at the ICO said:
“There are scenarios where organisations can have robust systems of controls and things still happen and we understand that and at the same time there are some times when those controls are not as robust and it’s apparent when a breach comes out that things should have been done better”.
A breach is a breach
It’s equally as serious for an organisation with good security to suffer a severe breach, as it is for an organisation with bad security to suffer a minor one. Presumably an organisation with poor security arrangements but no breach could still be fined - this could come to light through an ICO audit or staff whistleblowing, for example.
But clearly, the worst situation would be to have a significant breach and poor security arrangements. In this instance, the breach may bring poor security practices to light; such as retaining information for too long, or being unable to identify what information was involved, where it ended up or how the breach happened.
The lesson here is to minimise regulatory risk by having a comprehensive information management system in place. The best-case scenario would be not to have a breach and to have appropriate security in place.
More guidance could be useful
The GDPR’s security requirements are very vague. Security must be ‘appropriate’. It must ‘ensure a level of security appropriate to the risk’. Organisations may consider the cost of implementation when designing its security regime. But more prescriptive guidelines could be helpful.
When the GDPR was being debated there was a proposal for a detailed GDPR-security manual, like the one the Garante (the Italian DP agency) issues. This was rejected for reasons of prescriptiveness and because it would have been unrealistic to produce a single set of detailed security rules for the many disparate organisations the GDPR applies to.
But the ‘appropriate’ security requirement is so vague that it leaves organisations in an uncertain place. How does an organisation embed a proportionate, risk-based approach to information security if they don’t know what good is supposed to look like? This is particularly problematic because people typically assume that a breach means inappropriate security measures were in place – meaning the organisation has breached the law and can be fined.
This takes us back to the British Airways case
We know very little about the company’s security or about the cyber-attack it suffered that reportedly led to the breach in question. What if the attack was an exceptionally sophisticated one, carried out by a well-resourced criminal network or even a foreign government? An organisation with excellent, state-of-the-art security could still suffer a breach when targeted by such an attacker. Does this mean that its security is necessarily inappropriate and that it has broken the law? The regulator could well conclude that it has. (I reiterate that we know little of the specifics of the British Airways case.)
So how should organisations respond to the ICO’s opening GDPR salvo:
- Devote as much resource as you can to your security arrangements – the ICO’s action is clearly intended to raise the security of personal information up the corporate agenda
- If you have gaps in your security regime – for example many organisations have problems with the governance of unstructured information – then at least have a clear, demonstrable plan with realistic timelines in place so that, if asked, you can show you are aware of the problem and are addressing it
- Give due attention to other related aspects of information management – for example, the retention/deletion of personal information. Regulators don’t like it if a breach involves information you should not have had. Again, have a plan in place if this is a problem area for you
- Be able to show a positive attitude to other aspects of data protection compliance – e.g. have a good story to tell in terms of your completion rate for information rights requests. It seems that the regulator may ‘test you’ on this, as well as the specific factors relevant to the breach
- Always come clean as soon as possible, if in doubt notify the breach to the ICO/the individuals concerned and never attempt to cover problems up or to destroy evidence. Be really open with any ICO investigators and admit any problems you have had and ask for their advice as to how to improve things
- Act quickly when a breach has occurred – it will stand you in good stead to be able to tell the ICO that you know exactly what happened and that you have already done all the right things to contain the damage and to minimise the risk or recurrence