Cyber crime victimhood is not a defense against GDPR failure

When it comes to GDPR, there are two kinds of firm. There are those that take a strong, proactive approach to compliance, seeking to adhere to the principles of GDPR, and motivated by best practice (or possibly an existential threat to their business model). Such firms have invested considerable time, resources and budget, and are often happy to share their experience and practices with others (even competitors). Though the work is never done, they are generally in a good place.

The second category of firm are today scrambling to check their compliance position. These are the firms that asked “What’s the least I can do to avoid a fine?” and did the minimum they thought appropriate. Or took the risk that regulators would take a laissez-faire attitude to compliance. Or took a wait-and-see approach, and did nothing. These firms should – rightly – be alarmed at the heavy fines levied by the ICO last week. But it should not come as a surprise to anyone who has been paying attention.

The ICO has been quite transparent in its approach to regulation: advisory and approachable, but with a determination to ensure the law is upheld. The ICO does not act quickly: a typical investigation can last a year. But it does – eventually – get there.

One aspect of the recent cases is that both firms were alleged victims of cyber crime. This is being used as a defence against the stiff penalties. But GDPR is clear on security: data controllers must ensure that “appropriate technical and organisational measures” are used to protect data: each firm must decide what “appropriate measures” they deploy. In fact, the Information Commissioner provided a clear signal to any firm suffering a cyber attack resulting in a data breach, way back in October 2016. In the Talktalk judgement, where the telco lost 100,000 records in an attack, the ICO was withering in its assessment:

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

We’ve had nearly three years to digest that statement: it should be pinned on the wall of every CISO and DPO. Attacks will happen. The question is, how hard have you tried to stop the attacks? Is your position defensible, against a judgement by your regulator?

Indeed, this is official advice: in the enforcement guideline issues in October 2017 (eighteen months ago, folks) it states that:

“The controller must make the necessary assessments and reach the appropriate conclusions. The question that the supervisory authority must then answer is to what extent the controller “did what it could be expected to do” given the nature, the purposes or the size of the processing, seen in light of the obligations imposed on them by the Regulation.”

So, today, have a look at your security infrastructure and ask yourself, are you doing what you could be expected to do? If so, carry on. If not, plan to be busy over the next six months.