ICO signals its intentions on cyber security: large companies need to lead by example
Published on 17th Jan 2020
The ICO has issued DSG Retail Limited, the owner of Currys PC World and Dixons Travel stores, with a sizeable fine under pre-GDPR legislation. The ICO's decision is a must-read for all organisations (and particularly for large, nationwide, retailers), with the ICO setting out its expectations as to the "appropriate technical and organisational" measures which companies must take to protect personal data.
What happened?
On 5 April 2018, DSG received an external tip-off that its computer systems had been hacked. Following investigations, DSG ascertained that between 24 July 2017 and 25 April 2018, unknown attackers had compromised and gained unauthorised access to DSG's computer systems. Approximately 14 million data subjects (with respect to non-financial personal data) and over five million payment cards were affected.
On 9 January 2020, the ICO issued DSG with a £500,000 fine for serious contraventions of the Data Protection Act 1998 (DPA). In particular, the ICO found that DSG had breached the seventh data protection principle which requires organisations to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data.
Why is this relevant, post-GDPR?
The decision sets out the ICO's expectations as to the steps organisations should take in order to be compliant with the obligation under the DPA to implement "appropriate technical and organisational measures".
Whilst the DPA has now been replaced by the GDPR and the Data Protection Act 2018, the GDPR contains similar obligations on data controllers and processors to take "appropriate technical and organisational measures".
What steps should organisations take?
The GDPR does not specify the precise measures that should be taken to protect personal data. Instead, the GDPR refers to "appropriate" technical and organisational measures. This leaves much scope for uncertainty and interpretation.
The ICO's decision against DSG articulates how it will approach the question of compliance, and the way in which it will analyse the measures which have been taken. As such, organisations should make sure that they are able to provide a satisfactory answer to each of the following questions:
1. Have you implemented advice given to the company?
Prior to DSG's cyber breach, DSG had commissioned an information security consultancy to assess the adequacy of certain of its security measures. That assessment identified a number of critical vulnerabilities and deficiencies in DSG's technical and organisational measures, which DSG had not then rectified. The ICO considered that at least some of those vulnerabilities and deficiencies had played an essential role in DSG's cyber breach. The ICO relied heavily on that prior security assessment to determine that DSG had not done as much as it should have to prevent the occurrence of its cyber breach.
It is eminently sensible for large organisations to obtain periodic external security / vulnerability assessments (for many companies, commissioning such assessments will form part of the appropriate technical and organisational measures which must be taken). However, it is commonplace for those kinds of assessments to result in dozens, or even hundreds, of pages of recommendations – not all of which it is cost-efficient to implement. Those recommendations will rarely be privileged, which means that the ICO will be able to demand copies of them in any subsequent investigations that it might carry out.
After receiving the outputs of any kind of security / vulnerability assessment, companies will need to consider very carefully what they choose to implement and how. It will be important for companies to have a written record of their decision-making in this respect, especially with respect to any decision not to implement, or to delay implementing, recommended measures.
If you consider that implementing any particular measure is not cost-proportionate, assess very carefully the costs of implementation as against the size of the business, the nature and volume of personal data being processed, and the current standard of security. The ICO has made clear that it will scrutinise carefully any cost-based decision-making, noting that where the cost of implementation is high, this must be weighed against the level of harm that might result from unauthorised processing.
2. Have you implemented publicly available best practice / external guidance?
The ICO found that DSG had failed to implement certain of Microsoft's publicly available best practice guidance and patching updates dating from 2014. The consideration and weight given by the ICO to Microsoft's advice is an important reminder for companies to stay on top of publicly available guidance and updates. It will be very hard for organisations to excuse failures to implement free updates and advice.
In addition to monitoring for advice and guidance from software and hardware companies, organisations should monitor advice given by GCQH's cyber security arm, the National Cyber Security.
3. Have you complied with industry standards?
Given that it processes payment card data, DSG was required to adhere to the secure payment card standard developed by card schemes known as the "PCI DSS". Prior to DSG's cyber breach, DSG had commissioned an assessment of certain of its security measures by an information security consultancy. That assessment had concluded that certain of DSG's hardware may not be compliant with the requirements of the PCI DSS.
Whilst the ICO accepted that PCI DSS compliance and DPA compliance were not the same thing, it stated that the PCI DSS was 'helpful' in the its assessment of what constituted an 'appropriate' measure of security in relation to the payment card environment. Organisations that operate in an industry with specific, accepted, security standards need to pay attention to those standards and anticipate that, in the event of an incident, they may be judged against those standards.
To the extent that an organisation decides not to adhere to an applicable industry standard, it should record its rationale for this.
4. Have you complied with internal policies?
The ICO found that DSG did not comply with its certain of its own policies, in relation to both access permissions / passwords and patching (external advisors had, prior to DSG's cyber breach, identified multiple instances of missing patching).
For all organisations, one of the post-GDPR priorities has been to ensure that appropriate policies and procedures are put in place. Of equal, if not greater, importance, is ensuring compliance with those policies. Our view is that it will be very difficult for an organisation to argue, in any ICO investigation, that it did not need to take steps mandated by its own policies. For that reason, it is vital to ensure that policies and procedures are sensibly drafted and do not create unachievable standards.
5. Are you confident that you can proactively identify breaches?
DSG did not identify the breach on its own systems (despite the breach being ongoing for some nine months). The ICO considered this an aggravating feature of the breach. Organisations should ensure that they have proper systems in place to monitor for malicious activity on their systems.
6. Have you learned lessons from your group companies?
The ICO noted that it had issued a monetary penalty to one of DSG's subsidiaries in January 2018, with respect to similar vulnerabilities (and that the ICO's underlying investigation had exposed those vulnerabilities in mid-2015). For organisations that are part of a group of companies, it is clear that the ICO will expect lessons to be learned from group company experience.
7. For organisations similar to DSG: have you taken the specific measures identified by the ICO?
The ICO identified numerous technical measures that it considered DSG should have implemented, and commented that it considered those measures to represent appropriate measures for organisations "such as DSG" to have had in place in mid-2017.
Organisations similar to DSG should ensure that they have implemented all of the measures identified by the ICO, namely:
- network segregation;
- local firewalls;
- software patching and updates;
- penetration testing and vulnerability scanning (at regular intervals);
- application whitelisting;
- logging and monitoring systems;
- point-to-point encryption;
- privileged account management; and
- adherence to industry standard hardening guidance.
8. For large, nationwide, retailers and / or companies that handle payment card data: are you leading by example?
The ICO's decision notes that the general public would expect DSG, as a large nationwide retailer, to 'lead by example' on cyber security. The ICO appears to be implying that it will hold to a higher standard those organisations in whom the general public places trust.
Similarly, certain of the ICO's comments suggest a greater level of scrutiny will be applied to organisations that handle large quantities of payment card data.
ICO's commentary on legal issues
The ICO's decision is also helpful in setting out the ICO's views on certain legal issues:
- Payment card numbers constitute personal data. DSG's cyber breach compromised over five million payment cards, with the unknown attackers being able to capture the 'primary account number' for affected cards (but not necessarily the cardholder name). DSG argued that the primary account number by itself did not constitute 'personal data' because it did not enable the identification of the individual card or account holder. The ICO rejected this argument, holding that payment card numbers alone (without accompanying cardholder name) constitute personal data.
- Contravention is possible without any actual data breach. The ICO identified a number of contraventions of the obligation to take appropriate technical and organisational measures. DSG contended that its failure to take certain of the measures identified by the ICO would not have prevented DSG's cyber breach from occurring. The ICO rejected that argument, on the basis that a contravention of the obligation to take appropriate technical and organisational measures can occur even where no data breach has occurred.
- Legal effect of swift remedial measures on liability? The ICO noted that DSG had implemented "a significant number of measures and controls" following notification of the attack, which the ICO considered showed that "at least some of these measures were readily achievable". The implementation of remedial measures can therefore be a double-edged sword.
- Efficacy of support offered to customers? The ICO noted that DSG had offered credit monitoring services to its customers, but queried the effectiveness of communications regarding such support given low take-up rates. Further, the ICO noted that offering credit monitoring was an "industry standard approach" and, as such, gave only limited credit to DSG for this. This clearly signals that organisations should offer such services post breach, but that offering those services is unlikely to lower fine levels.
Osborne Clarke comment
Whilst the ICO's decision was made under the DPA, the ICO's decision contains important findings for all organisations and especially those with similar profiles to DSG. There is now a growing body of regulatory guidance from data protection regulators across Europe on these issues and this will continue over the next year or so as they work through a backlog of post-GDPR breaches. Companies that don't heed that guidance will not just face potential fines but also follow-on litigation.