The consequences of a cyber security data breach may not only have severe business and PR related implications on an organisation but, under the GDPR, there will be a very real threat of substantial administrative fines imposed by the ICO on a company that fails to process personal data in a manner that "ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures" (Art. 5(1)(f) GDPR).
These fines can amount to up to 4% of annual worldwide turnover (Art. 83(5)(a) GDPR), meaning now more than ever legal and IT teams have the attention of their company boardrooms to follow data protection requirements and put in place appropriate technical and organisation measures to ensure appropriate security of personal data.
On 10 January 2018, the ICO issued a fine to Carphone Warehouse amounting to £400,000, close to the maximum (of £500,000) under its current powers within the current (pre GDPR) law. Carphone Warehouse's computer systems, which contained significant amounts of personal data including customer and employee records as well as historic transaction details, had been the subject of an external cyber-attack.
The ICO focussed on what it saw as a series of basic errors which a company the size of Carphone should not have allowed to happen. Notably, even though there was no evidence of actual harm caused by this particular attack, the ICO focussed on the absence of measures and the risk which they created of actual (and substantial) harm. As well as acting as a reminder that large fines are a very real threat and consequence of data breaches, this enforcement action highlights some key issues in the approach which the ICO is likely to take to assessing security failings.
Background to the monetary penalty
In July to August 2015 a Carphone Warehouse computer system containing significant amounts of personal data (including approximately 3,348,869 customer records, historic transaction details spanning 18,231 payment cards, and records of approximately 1,000 employees) was subject to an external cyberattack. This allowed the attacker to access numerous databases including the personal data files, with the apparent aim of extracting as much information as possible. Although it cannot be determined whether the information exported by the attacker contained personal data, the ICO interpreted the evidence as it being likely that files extracted did contain personal data.
Basic hygiene is key
There were some basic features of security which the ICO found plainly should have been in place: there was no Web Application Firewall and no antivirus in place. Both of these were found to be departures from widely accepted standards, and in the latter case were also clearly a departure from Carphone's own policies.
Security is a lifecycle, not a one off activity
One of the contraventions that the ICO Commissioner noted in the monetary penalty notice was the inadequate vulnerability scanning and penetration testing measures in place. It was noted that no internal or external penetration testing has been conducted in the 12 months leading up to the attack. It also noted that 15 days elapsed between first compromise by the attacker, and Carphone's own detection systems triggering action by it to shut down the intrusion.
An emerging theme in data breaches is a failure of companies to adequately test, monitor and detect unauthorised access to the security systems implemented. It is likely to be a continued focus for regulators and courts in assessing fines and data subject actions.
Upgrade paths and patching
The web application which was first compromised was materially out of date: later versions were available which would have reduced vulnerabilities. Patching practice was found to be seriously inadequate, and contrary to Carphone's own policies/standards. Notably, these were found to be important factors in the decision to fine, even though there was no evidence that they would have prevented this particular attack.
Manage the data you actually hold
During the investigation it came to light that Carphone Warehouse were not aware of the historic transactions and credit card data held on the particular system at the time: these appeared to have been retained unintentionally through initial application configuration. This cut little ice with the ICO, which felt that Carphone plainly should have had a better understanding of the data which it retained.
This focus on retention practices, understanding the data held on particular systems, and tailoring security accordingly, should be a key part of any current exercise to achieve GDPR compliance.
Causation of actual harm may not matter
The Commissioner noted that its real concern is with the measures put in place by Carphone Warehouse, and their contraventions that led to exposure of the contents of the system to very serious risks, rather than with the actual specific data breach. For the purposes of regulatory enforcement, whether actual harm was suffered is only a factor. Fines can be issued simply for failing to maintain adequate measures. This is particularly the case where - as the ICO found in Carphone's case - the failings are multiple, basic, long standing, and affect a company which has the size and means to do something about it, as well as an inherent understanding of its attractiveness as a potential target.
Double edged swords
The Commissioner considered that Carphone Warehouse did not take reasonable steps to prevent the contravention and one of its arguments for finding this is Carphone Warehouse's lack of urgency to remediate potential deficiencies in its information security, which they were aware of, to some degree, pre-incident. This came from a number of sources:
Carphone's own security reviews which had identified weaknesses (which were not either implemented nor acted on quickly) internal policies had been issued which were clearly not being applied (patching, antivirus, testing) other divisions had better measures in place, showing that organisationally Carphone understood the need for them remediation measures taken immediately after the incident tended to demonstrate that they were available and could have been implemented earlier.
What seems clear is that an organisation will be worse off when there is evidence that it understands the need for better measures, but has not taken them. This also raises questions of interest to litigators around the creation of disclosable documents which tend to emphasise that the organisation understood its own weaknesses.
It is clear that the ICO factor in many different elements when deciding to issue a penalty and its value, in cases of a data breach. Organisations can and should use their current GDPR compliance exercises as an opportunity to ensure they fill in any potential holes in their information security regime, many of which are highlighted by the ICO in this fine.