Cybersecurity remains a real and pressing issue for businesses around the world. In the United Kingdom, some recent developments serve to emphasise the importance of companies implementing appropriate security measures proactively, both (1) to help prevent cyber incidents occurring and (2) to argue in mitigation when, not if, the company does suffer a data breach.
First, the recent group litigation case of Various Claimants v Morrison Supermarkets PLC (case citation number:  EWCA Civ 2339), which centred upon a rogue employee’s misuse of personal data, included evidence and judicial comment on the nature and adequacy of Morrison’s data security policies and procedures. Clearly, had there been any failings in that security, the company would have attracted adverse publicity both within and beyond the courtroom, and potentially faced higher regulatory penalties. For a fuller description of this case, which remains subject to an appeal to the UK Supreme Court, please see our recent publication here.
The stated purpose of the Guidance is to provide organisations with “a good starting point for most systems where personal data is being protected”. It is worth emphasising that this is where corporate cybersecurity planning begins, and that each business must consider whether to apply a higher level of security based on their particular circumstances.
Cybersecurity – GDPR Requirements
The GDPR includes a requirement that organisations handle personal data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (GDPR, Article 5(1)(f)).
Whilst the GDPR does not define those “appropriate” security measures, it does provide some illustrative examples, which include:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of those technical and organisational measures. (Article 32, GDPR).
In our experience, understanding what is “appropriate” or “reasonable” security for any one particular business is an analysis that requires dialogue between the company’s board, its information security and/or IT function, its internal compliance team, and its legal advisers.
No longer is the encryption of data regarded as the exclusive preserve of governments and military forces, and perhaps defence sector contractors. Recent years have seen a growing awareness amongst companies of encryption measures for data they process for themselves and their own clients. At the same time, encryption software solutions have proliferated and become easier to implement on enterprise networks, including across mobile devices.
In the Guidance, the ICO notes that Article 32 of the GDPR includes encryption as one of the specific examples of technical security measures. The Guidance also notes that organisations should introduce a specific policy and instruct their staff on whether and how to use encryption when handling personal data (e.g. when storing and/or transferring material). Significantly, the Guidance also states that:
“The ICO has seen numerous incidents of personal data being subject to unauthorised or unlawful processing, loss, damage or destruction. In many cases, the damage and distress caused by these incidents may have been reduced or even avoided had the personal data been encrypted.”
“It is possible that, where data is lost or destroyed and it was not encrypted, regulatory action may be pursued (depending on the context of each incident).”
In light of these observations, and the relative ease with which encryption can now be used across an organisation’s computer estate (including mobile devices), companies should carefully consider implementing appropriate solutions wherever reasonable. One interpretation of the Guidance is that it has introduced a de facto presumption in favour of encryption: “You should have a policy in place governing the use of encryption, including appropriate staff education.”1
Passwords and Alternative Methods to Providing Secure Access
If one considers encryption measures to be analogous to investing in a cast iron safe to hold valuable goods, then passwords and multifactor authentication are the keys and combination codes to secure one’s access to that iron safe.
The Guidance states that passwords remain the most popular way for individuals to authenticate online services. However, passwords carry “well-known risks” that, if not addressed appropriately in the creation and maintenance of an organisation’s authentication, can jeopardise the wider security of that system.
The ICO now advises organisations to consider whether they could utilise better alternatives to passwords. The Guidance suggests implementing a single sign on (“SSO”) system as an alternative to passwords, which would reduce the number of passwords that a system user would need to remember. However, an organisation considering an SSO system must be content with the level of security offered; if the SSO system is compromised then the relevant user accounts will also be compromised.
Multi-factor authentication (“MFA”) is another security system that organisations could choose to implement; this requires more than one method of authentication, such as a combination of passwords, security tokens and biometric verification. MFA will be more important where the data that can be accessed is particularly sensitive or could cause significant harm if such data became compromised. As many practitioners in this field know, MFA is now increasingly used by businesses across industry sectors, driven by the rising awareness of cyber risks more generally.
For example, MFA was recently recommended by the REACT Task Force, a team of law enforcement officers in California, specifically in relation to guard against the so-called “SIM swap” fraud, in which mobile phones are used to steal cryptocurrencies. It was through SIM swap that criminals managed to steal USD23.8m from bitcoin entrepreneur Michael Terpin. Originally, many MFA programs relied upon the use of SMS text messages. However, compromises/breaches over recent years have undermined that approach, and organisations should instead consider the use of either mobile applications that generate one-time codes or physical security keys. This is a point emphasised by the recent REACT report, which advises that MFA should not include text messages as a means of securing access when stronger authentication options are available.
Of course, any organisation seeking to use employee or customer biometric data for MFA purposes will itself need to consider the GDPR’s requirements for special category data, and/or an appropriate processing condition in Schedule 1 of the Data Protection Act 2018
FOR QUESTIONS OR MORE INFORMATION, PLEASE CONTACT: