The Information Commissioner’s Office (ICO) recently issued a £4.4m fine against Interserve. The regulator warned that it intends to clamp down on cybersecurity failings, saying “complacency” is the “biggest cyber risk businesses face”.
In 2020, hackers accessed the personal data of some 113,000 Interserve employees through a phishing attack. In the wake of the Interserve fine, Information Commissioner John Edwards said that, “This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.” The ICO identified particular failures on Interserve’s part, which included a failure to follow-up on the original alert of suspicious activity, the use of outdated software systems and a lack of adequate training and insufficient risk assessments.
The UK government’s 2022 Cyber Security Breaches survey found that 39% of UK businesses had suffered a cyberattack in the previous 12 months. The report noted “a lack of technical knowhow expertise within smaller organisations and at senior level within larger organisations.” It said this inhibits an organisation’s cybersecurity and fosters “a tendency to take a reactive approach, viewing investment in cyber security as a cost rather than an investment”.
The report also found “a clear lack of commercial narrative to effectively negotiate a cyber security budget”. Yet the argument for investing in adequate cybersecurity is crystal clear: the potential costs of a data breach due to cybersecurity failings can be enormous.
A fine is often just the tip of the iceberg in terms of a company’s overall exposure to a data breach. It may suffer lost earnings, as customers lose confidence. It will inevitably suffer serious reputational damage. It may also suffer costly litigation, potentially involving numerous claimants. An adverse ruling by the ICO serves as compelling evidence to underpin civil litigation, rendering liability almost a foregone conclusion.
Group Litigation Orders – a future risk?
The question of major group claims for data breaches has become a hot topic in recent years. While class actions (such as in the case of Lloyd v Google) haven’t got off the ground, there is still the possibility of successful group actions pursuant to a Group Litigation Order (GLO).
Until further guidance is given by the courts, it also remains unclear what value might be placed on data breach claims. Plainly, cases will turn on their individual facts, but businesses may take some comfort from the recent case of Driver v CPS, pursuant to which breaches at the lower end of the spectrum may only attract damages in the region of £250. Yet if a significant number of staff or customers are affected, such litigation could still be costly. Particularly so, given the legal costs involved often dwarf the value of the claims.
Some data breaches will be more significant than others, such as where sensitive data is disclosed. These will inevitably attract far higher levels of compensation and require a nuanced approach, depending on the facts.
Prevention is better than cure
Plainly, prevention is better than cure. All organisations should consider preventing cyberattacks as a key priority. Precisely what steps companies need to take will depend on their business model and sectoral risks, and the sensitivity of the data held.
Yet basic common sense measures are often still not taken, and one only has to look to the Interserve case for lessons to be learned. For example, many companies fail to update software, or to ensure devices are secured with complex passwords which are changed regularly. When home-working increased during the coronavirus pandemic, many allowed unsecured personal devices to be used for company business.
Steps to take
Companies should take advice on the use of technical measures such as VPNs, firewalls and spyware. However, staff training is essential, as the human can often be the weakest link. Staff should know that realistic looking emails can be sent by hackers impersonating colleagues. Realistic cloned websites are often used to harvest passwords or other data.
The fundamental aim of data protection is actually quite simple: it is to ensure that personal data remains secure and used for lawful purposes. As more aspects of our lives move online, an increased regulatory focus on data protection is inevitable. It’s vital that companies learn how to protect data, and to meet their regulatory obligations.
About the author
Abigail Healey, Consultant at Quillon Law, is a leading litigator in information law, including in breach of confidence and data protection.