External Cyber-Attacks: Avoidable Breaches, Monetary Penalties and the limits of ‘Victim’ status
When an individual is the victim of a criminal offence and reports the circumstances to the police they, not surprisingly, expect that the police will investigate the crime and will hopefully apprehend the offenders and recover any property which may have been stolen.
Where there is clear evidence that a crime has been committed it is unlikely that police will interrogate the victim about the security of their house or car. It is very unlikely that the police will sanction or fine the individual if they form the view that the security of the stolen property was in some way poor.
However, if an organisation suffers a cyber-attack on their systems and personal information is unlawfully obtained the data protection regulator (the Information Commissioner) will assess the security measures in place prior to the attack and will make a judgment on the quality of the security. It will not make much difference to the analysis if the organisation has been the subject of a clear criminal attack. The Information Commissioner will be more interested in the preventative measures used by the organisation and he will consequently make a decision as to the reasonableness of the security in preventing cyber-attacks.
If the attack involves the unlawful obtaining of sensitive personal data (racial ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, commission of any offence etc.) then the analysis will be more rigorous.
Whilst this may at first seem to be unfair, where an organisation is punished for being a victim of crime, the Information Commissioner’s objective during her investigation is more about the protection of the individual’s personal information than the apprehension of the criminals involved.
Last year the ICO issued three monetary penalties to organisations which had suffered an external cyber-attack. All were described by the ICO as serious breaches of the seventh data protection principle (appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data).
In one of the cases, the data controller reported the circumstances to the police who subsequently arrested the person responsible for the attack. The ICO considered the arrest of the attacker (who was later convicted for an offence under the Computer Misuse Act) as a mitigating factor but nevertheless issued a monetary penalty in the sum of £200,000 for a breach of the seventh principle. The ICO criticised the organisation for poor storage of administrative passwords and failing to carry out appropriate security testing on their website.
As is usual in monetary penalty cases, the ICO formed the view that the breach was avoidable. In other words that reasonable security measures would have prevented the breach in the first place.
It is clear therefore that organisations which process personal information must use all possible measures to protect the personal information they process against cyber-attacks. This includes penetration tests, risk assessments, information mapping, regular audits and staff training.
Without evidence of good security arrangements ‘victim’ status will be of little use in preventing a heavy fine.