Will I get fined by the ICO if my business suffers a data breach?

As with many things in life the answer to this tricky question is...it depends? One thing that may surprise you is that if you take cyber resilience seriously, then you may be able to reduce or eliminate this cost completely.

What is the cost breakdown for a cyber-attack?

Losing data can be as a result of many events, but as we are a cyber resilience centre let’s assume it’s because of a cyber-attack that results in the organisation’s network being breached and their data being stolen and / or encrypted. Let’s look at where the cost of the attack may come from.

COST ONE – loss of operational effectiveness. So the first impact will be in loss of business as you company comes to understand the nature and effectiveness of the attack. This may be caused by potential customers coming to your website, and on being unable to log in simply going elsewhere to get their product. And it may come from being sued by supply chain organisations from being unable to fulfil contracts.

COST TWO – paying the ransom. More than 80% of UK companies agree to pay ransoms to cyber criminals, which is significantly higher than the global average.

COST THREE – resetting the operating environment. As part of the incident response your organisation will have to work through the impact of the cyber-attack and put themselves back into Business as Usual mode.

COST FOUR – reputational loss. If customers and suppliers don’t think that you’re going to look after their data, they may look elsewhere to do business.

COST FIVE – ICO fines. Just when you think you’re out of the woods you might get slapped with a significant fine from the Information Commissioner’s Office. And as it remains a legal obligation to report a breach to the ICO there is no legal way to avoid their scrutiny. But the level of the fine, or whether you’re fined at all will depend on a number of factors.

Who are the ICO and what do they do?

The ICO was set up as an independent organisation to ensure that UK businesses adhered to Data Protection provisions, and handled / protected data according to the law. They can fine businesses up to 17.5 million pounds or 4% of global turnover, whichever is higher.

But the ICO do not automatically fine every organisation that suffers a data breach – they look behind the breach at the structure of the affected company; and if they have carried out a proportionate response to protecting their data – through adequate cyber resilience measures for example, then they may not issue a fine and simply offer guidance and support.

Case Studies

The following are a list of the more infamous data breaches in the UK that have led to fines from the ICO.

Cambridge Analytica and Facebook

On 23 March 2018, the ICO searched the London headquarters of Cambridge Analytica amid reports that the firm harvested the personal data of millions of Facebook users as part of a campaign to influence the U.S. 2016 presidential elections. In October 2018 the ICO issued a fine of £500,000, the maximum allowable at the time the incidents occurred, to Facebook, for breaches of data protection law. The ICO's investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends' with people who had.

Uber

In November 2018 the ICO fined Uber £385,000 for failing to protect customers' personal information during a cyber-attack. A series of avoidable data security flaws allowed the personal details of around 2.7 million British customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber's US parent company.

Equifax

In September 2018, the ICO issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million British citizens during a cyber-attack in 2017. The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.

Is there anything I can do to avoid being fined?

This is explained by one of the ECRC’s Advisory Group members – Andy from ,DPO for Education - an outsourced Data Protection Officer function that operates on behalf of a number of schools across the South East of England.

Andy explains ‘We have spent a great deal of time advising clients to gain Cyber Essential accreditation. We are well aware that it is not the highest level of IT security accreditation but it does demonstrate an appropriate level of commitment to protect against cyber threats for many organisations in line with GDPR requirements.’

Whilst the cost to schools has risen to up to £450 for some schools both DPO for Education and the ECRC agree that it is an accreditation worth undertaking. Not only does it provide insurance cover of £25000, and protect fully or partially against up to 99% of current cyber threats also demonstrates to the ICO that your organisation is taking Cyber Security seriously. A real life example of this is explained by Andy.

‘The following incident occurred on the last day of term before the Christmas holidays when one of our School Academy Trust clients discovered that they had suffered a brute force cyber-attack some weeks previously back in mid-November. The Outlook email account of a member of the Senior Leadership Team was hacked that resulted in a change to the “rules” and several thousand emails redirected. Not surprisingly there was a degree of panic not only in what data may have been lost but also finding out at 4pm on a Friday before a 3 week close down. The breach was reported to the ICO due to the potentially sensitive information stolen.’

‘The Trust first completed the IASME accredited Cyber Essentials process in May 2019 and continued thereafter. They duly followed their guidance in reporting the incident to their insurer immediately. The response was fantastic.’

‘Within 2 hours the insurer had arranged for a conference call for 3pm on the Saturday which had not only ourselves, the Trust’s Data Protection lead, the school IT provider but also a leading City law firm and a cyber security expert from KPMG.’

‘The cyber specialist was allowed access to the schools network and within 4 hours had discovered how the incident occurred, rectified the problem and provided a report on the incident. At the same time the Law firm had assessed the potential repercussions and made their recommendations.’

‘Within 18 hours of the incident being discovered reports had been written and collated and the information sent to the ICO. The following week we received a letter from the ICO stating that they were satisfied that the Trust’s data had been’

“…. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”

The case is now closed.

‘For anyone who doubts the value of Cyber Essentials this will hopefully clear any misgivings they may have. Firstly, the professionalism of the services provided by all those connected with the insurance claim was first class and put the client’s mind at ease. Secondly the ICO’s acknowledgement by following Cyber Essentials, the Trust had taken appropriate measures in its protection of data is good to know.’

‘As we stated at the start of the article it is not the silver bullet. However, in this example, the £450 spent on Cyber Essentials scheme has proven to be great value and we will continue to urge all organisations to consider it.’

Cyber Essentials Accreditation

We would like to thank Andy and his team for sharing this really insightful case study into the effect of a real life cyber-attack and how this particular school navigated it, with DPO for Education’s assistance. To find out more about the accreditation scheme go to https://www.ecrcentre.co.uk/what-is-cyber-essentials.

And remember that free membership with the centre https://www.ecrcentre.co.uk/core-membership-sign-up includes a free guidance package called Little Steps that will help you to become accredited.

Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad). s common cyber-attacks.