December 2020 edition: Why Cyber Breaches Occur on Fridays – The Importance of Being One Step Ahead of your Service Provider

Why Cyber Breaches Occur on Fridays – The Importance of Being One Step Ahead of your Service Provider

In the midst of the Covid-19 pandemic, having to divert precious staff time away from operations to deal with a personal data breach isn’t good news. And, right now, we have seen an uptick in cases, particularly cyber attacks on service providers to schools and trusts. For example, the recent attack on the financial service provider WisePay which provides services to around 300 schools, has had a significant impact.

If your trust has ever experienced a data breach then you’ll know that it pays to be prepared with a breach protocol. Here’s why:

  • Data breaches occur at inconvenient times. (It’s no coincidence that cyber attackers choose Fridays / weekends to attack);

  • Data breaches usually require urgent and critical decision making so you’ll need to marshal your "Breach Panel”; (Is the breach of a type that has to be reported to the Information Commissioner’s Office and affected individuals?);

  • A rapid investigation is needed. (What’s the root cause of the breach, the type and volume of personal data impacted and how many data subjects are affected?);

  • You may want to instruct a specialist data protection lawyer to assess whether the breach needs to be reported and craft the Notification to the ICO so as to avoid making unnecessary admissions of liability;

  • You may need to consider instructing an Information Security specialist to identify the root cause of the breach and contain it. 

Fortunately not all breaches need to be reported to the Information Commissioner’s Office (ICO). Only those that are likely to result in a risk to the rights and freedoms of individuals need to be reported. The threshold for notifying affected individuals is actually higher than for informing the ICO – here you need to assess whether the breach is likely to result in a high risk to the rights and freedoms to those individuals.

For example, a laptop containing personal data that is stolen may not need to be reported to the ICO if it is fully encrypted, because the incident is unlikely to result in a risk to the rights and freedoms of the individuals whose personal data is held on the laptop.

If your trust has ever experienced a data breach, then you’ll know that it pays to be prepared with a breach protocol.

Paula Williamson

On the other hand, accidentally emailing information about special educational needs and disabilities relating to pupil A to the parents of pupil B is more likely to trigger a requirement to notify the ICO because it may involve special category personal data. Whether or not the breach would trigger a requirement to notify the affected individuals is more nuanced and may depend on how the parents of pupil B respond. i.e. if they notify the trust that they have deleted the email and haven’t copied it to anyone else, this may reduce the need to notify the affected individuals. In fact, the ICO cautions data controllers against "over – notifying” minor breaches when it is not necessary to do so, especially when this might cause unnecessary distress.

How to deal with cyber-attacks on your service providers:

If your trust has been affected by a cyber breach as a result of a cyber attack against one of your service providers the trust will need to rely on its service provider to provide it with information about the breach and to help meet its GDPR obligations. 

In particular, the trust will need to establish:

  • What personal data has been impacted and whether the trust is a data controller of the impacted data?

  • Whether the trust’s service provider is data processor (or sub-processor) of the impacted data. (The trust should, at all times, seek its own independent legal advice on this point and not rely on the service provider’s account.

  • Whether or not your service provider complied with its contractual and statutory obligations. E.g. did it delay notifying the trust of the cyber breach? If so, was the cause of that delay justifiable?

  • The trust is entitled to ask what technical and organisational security measures the service provider had in place before the breach took place and what measures it has put in place as a result of the breach. If your service provider withholds this information, you should seek legal advice as this may suggest they are not complying with their contractual duty to co-operate and they may be concerned at revealing a potential root cause of the breach.

  • If your service provider has failed to co-operate or take appropriate technical and organisational security measures to protect the trusts’s personal data as required under GDPR, the trust may want to consider exercising its contractual rights under the contract, including possibly terminating the contract.


Stone King has a team of dedicated Information lawyers with a background in contract law, education law and prosecutions. If you would like help preventing or dealing with a data breach, we can help. If you would like to sign up to hear specifically about Stone King’s Information Law updates, news and events please sign up here https://www.stoneking.co.uk/newsletter-sign-up or email paulawilliamson@stoneking.co.uk.

Stone King are a CST Platinum Partner
www.stoneking.co.uk/