Following the recent Capita cyber incident, the Information Commissioners Office (“ICO”) has issued a statement encouraging organisations utilising Capita’s services to see if they have been affected and, if so, report this to the ICO.
Background
Following the announcement from Capita PLC (“Capita”) in April 2023 that it had suffered a cyber-incident impacting provision of its services, Capita has since revealed that despite its initial assessments that no customer data had been compromised, there was in fact “some evidence of limited data exfiltration […] which might include customer, supplier or colleague data”.
Since the investigation into the incident by Capita has begun, the Guardian has reported that around 90 organisations have allegedly been in touch with the ICO following confirmation from Capita that their data may have been affected in some way.
What does this mean for pension schemes?
Pension schemes that have been notified by Capita that the data Capita holds for them has been affected will need to consider whether the breach is reportable to the ICO. As data controller of the information, trustees must notify the ICO within 72 hours of becoming aware of a breach “unless it does not pose a risk to people’s rights and freedoms”. Schemes should also consider whether they will be required to notify the affected members of this breach, which will depend on the risks involved in relation to that member’s data.
Upon receipt of a notification from Capita, trustees should contact their advisers as soon as possible, invoke their incident response plans and may also want to check their contracts to understand Capita’s contractual obligations in relation to cyber incidents.
