One in five NHS Trusts were hit by a cyber-attack known as “Wannacry” on 12 May 2017 leading to PCs and data being locked up and held for ransom. The malicious ransomware known as WanaCrypt0r has hit companies and other organisations, from Russia to Australia, and Europol estimated there had been 200,000 victims in at least 150 countries. It was alleged that NHS networks were left vulnerable because they were using outdated Windows XP software, which is no longer supported by Microsoft, and therefore security upgrades had not been installed. The National Cyber Security Centre warned that more cases of the ransomware were expected to come to light beyond the NHS and “possibly at a significant scale”.
A key principle under the Data Protection Act 1998 (the “DPA”) is to take appropriate security measures to present unlawful and unauthorised processing of personal data and to prevent its accidental loss, destruction or damage. Such security measures need to incorporate appropriate technological and organisational systems, and therefore companies should ensure they have appropriate software (which is regularly upgraded) and cyber-security protection, amongst other things. If, as reported, certain NHS Trusts compromised personal data due to the use of outdated and unsupported Windows XP software, they are likely to be in breach of this key principle under the DPA.
The EU General Data Protection Regulation (the “Regulation”) coming into effect on 25 May 2018, which replaces the DPA largely repeats the security principles set out in the DPA. However, the GDPR enforces a much tougher and stricter regime, with more severe penalties for data breaches.
NHS Trusts have been fined regularly by the Information Commissioner’s Office (ICO), however the fines have been relatively modest and the maximum that the ICO can currently fine for a data breach is £500,000. The biggest fine to date issued to a NHS Trust was the sum of £325,000, issued to Sussex University Hospitals NHS Trust. Once the GDPR is enforced, that will all change. The ICO will have the right to impose fines of up to the higher of 4% of the annual worldwide turnover of the company and €20m for severe breaches, whereas lesser/specified breaches may incur fines of up to the higher of 2% of annual worldwide turnover and €10m. The ICO will no doubt enforce these larger fining abilities.
Jonathan Blunden and Emily Carter in their recent blog detailed that, according to a Cyber Security Breaches Survey, nearly half (46%) of British businesses discovered at least one data security breach in the past year, a proportion which rose to two-thirds among medium and large companies. Data security breaches are becoming a near certainty for companies and the threat, along with the obligations to protect data, needs to be taken seriously.
Currently, companies are expected to report breaches to the ICO (in accordance with ICO guidance) but there is no legal requirement to do so under the DPA. Again, the GDPR tightens up obligations upon companies by enforcing a 72- hour mandated notification period for reporting data security breaches.
Ransomware has been increasingly prevalent over the last few years and companies should consider whether they have adequate and appropriate security measures in place to protect the data that they store and process. In addition, companies need to be aware of their increased obligations under the GDPR and put in place plans for compliance well in advance of 25 May 2018. The Regulations radically change the accountability and obligations of companies, and those processing large volumes of personal data are at risk of falling foul of the new legislation. Now is the time to start preparing for the new regime.