The ICO has provisionally decided to issue a fine to Advanced, an IT software company providing services to the NHS, after it experienced a ransomware hack in August 2022.
Cyber threats are increasing and AI is expected to heighten the global ransomware according to GCHQ. Government statistics from 2024 show that half of businesses (50%) and a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for:
- Medium businesses – 70%
- Large businesses – 74%
- High-income charities with £500,000 or more in annual income – 66%.
In this insight, we discuss what we know so far about the breach, refer to the regulatory framework and explain how Tozers can assist your business with GDPR.
What do we know so far?
The ICO has provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. They provisionally report that personal data belonging to 82,946 people was exfiltrated during the attack, including phone numbers, medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.
Why does a business get punished if its systems get attacked?
Data processors have a duty to ensure that personal data “is processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing… using appropriate technical or organisational measures” (Article 5(1)(f) UK GDPR). This is known as the “security principle”. A data subject has a right to privacy and if they decide to share their data with your business, the onus is on you to keep it safe.
Protecting personal data involves careful consideration of risk analysis, organisational policies and physical and technical measures. Software, a form of technical measure, is just one ingredient in the mix.
When do we consider what measures to incorporate?
The “data protection by design” principle in Article 25 UK GDPR requires you to put in place appropriate technical and organisational measures to safeguard processing. You have to do this during the design phase of any processing operation and during the processing itself.
Does that mean we need to deploy the most expensive software to protect personal data?
No. You can consider the state of the art and costs of implementation when deciding what measures to take but the ICO says they must be appropriate to both your business’ circumstances and the risk your processing poses. This means there is no one-size-fits-all solution.
Having said that, multi-factor authentication is a straightforward method to secure data and deploying it does not involve paying for the most expensive software.
What is the ICO’s message to UK businesses?
John Edwards, UK Information Commissioner said:
“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
What powers does the ICO have?
The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers, for example:
1. Issuing notices that require you to provide certain information.
2. Issuing enforcement notices that require you to take, or refrain from taking particular steps or actions.
3. Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.
Can you challenge a monetary penalty by the ICO?
Yes. Advanced have received a penalty notice and the Commissioner has not made a final decision.
If the ICO intends to issue a monetary penalty it will send a notice of intent which you can challenge by sending written representations within a strict timeframe. Time is of the essence when you receive a notice of intent so it is crucial that you seek legal advice without delay.
In 2023 we acted on behalf of a client who was issued with a notice of intent for over £180,000 as a result of a data breach. We sent written representations which were successful, resulting in the investigation being dropped and the fine waived in its entirety.
How can Tozers help my business?
Everyone responsible for using personal data (which includes storing it) has to follow strict rules and lawyers play a crucial role in navigating the complex legal landscape surrounding personal data.
Tozers’ expert Data Protection Team can help you comply with the regulatory framework by:
- Providing advice and guidance.
- Discuss data protection impact assessments and technical and organisational measures to mitigate or manage the risks you identify with new systems.
- Drafting bespoke data protection policies.
- Providing training to staff.
- If the worst happens, provide written representations to the ICO to dispute any penalty notice.
If you require advice, speak to one of our legal experts today in a no-obligation phone call.