Just over a year after GDPR came into force, the large fines that the Information Commissioner's Office (ICO) proposes to levy on British Airways (£183m) and Marriott International (£99m) has prompted a surge in the number of organisations accelerating their cyber security plans and increasing budget allocation.
A recent survey of senior decision makers in the financial sector revealed that over 30percent of them said the fines are the key factor in the decision to boost their cyber security defences. The British Airways breach occurred when website users were diverted to a rogue site, into which they submitted personal details, including credit card information. BA did not notify the ICO until September that year, a fact that will not have gone in its favour, and the organisation was criticised for its poor security arrangements.
In Marriott International’s case, the data breach occurred at Starwood Hotels, a company it went on to acquire two years after the incident, which took place in 2014. Despite Marriott International notifying the ICO as soon as the breach came to light in 2018, the ICO insists that sufficiently rigorous due diligence was not carried out, and Marriott should have done more to secure its systems.
Information Commissioner Elizabeth Denham said: ”People’s personal data is just that personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
So what can business owners take away from these high profile cases? The basis of GDPR is that you must show that you process personal data securely by means of ‘appropriate technical and organisational measures’, and there are some basic measures you should have in place.
Demonstrate compliance: The Governmentbacked Cyber Essentials and Cyber Essentials Plus schemes are designed to help you implement first stage controls in response to the risk from common cyber threats such as hacking, phishing and password guessing. While you will need to take additional measures to combat more advanced attacks, these certifications are a good starting point to demonstrating GDPR compliance.
Act fast: any significant data breach must be reported to the ICO, and you must be able to show you took immediate steps to stop and control it, assessed the risk to data owners, and notified them.
Insurance: there are a growing number of products on the market, and we work with partners who provide tailored insurance packages, including specialist advice, a 24/7 response, fines and investigations cover. Some packages also offer electronic data cover, which includes data restoration following a breach.
Test and review: you should be constantly testing, reviewing and including best practice in your procedures. The ICO has a range of useful information, including a paper giving detailed guidance on common errors it has seen in its casework.
While British Airways and Marriott International plead their case for a reduced fine, this action by the ICO shows it has real teeth, and is a big wake up call to organisations that are still not taking the new data protection laws seriously.
Don’t be caught out. If you suffer a breach, the fines could be reduced if you can show you have made every effort to comply with the regulations. Our cyber security experts are helping organisations just like yours to protect themselves. Give us a call or come along to one of our regular security briefings to find out more.
Contact us on 0191 442 8300 or contact@itps.co.uk for more details. www.itps.co.uk