Why Cyber Breaches Occur on Fridays – The Importance of Being One Step Ahead of your Service Provider
In the midst of the Covid-19 pandemic, having to divert precious staff time away from operations to deal with a personal data breach isn’t good news. And, right now, we have seen an uptick in cases, particularly cyber attacks on service providers to schools and trusts. For example, the recent attack on the financial service provider WisePay which provides services to around 300 schools, has had a significant impact.
If your trust has ever experienced a data breach then you’ll know that it pays to be prepared with a breach protocol. Here’s why:
breaches occur at inconvenient times. (It’s no coincidence that cyber attackers choose Fridays / weekends to attack);
- Data breaches usually require urgent and critical decision making so you’ll need to marshal your "Breach Panel”; (Is the breach of a type that has to be reported to the Information Commissioner’s Office and affected individuals?);
- A rapid investigation is needed. (What’s the root cause of the breach, the type
and volume of personal data impacted and how many data subjects are affected?);
may want to instruct a specialist data protection lawyer to assess whether the
breach needs to be reported and craft the Notification to the ICO so as to avoid making unnecessary admissions of liability;
- You may need to consider instructing an Information Security specialist to identify the root cause of the breach and contain it.
Fortunately not all breaches need to be reported to the Information Commissioner’s Office (ICO). Only those that are likely to result in a risk to the rights and freedoms of individuals need to be reported. The threshold for notifying affected individuals is actually higher than for informing the ICO – here you need to assess whether the breach is likely to result in a high risk to the rights and freedoms to those individuals.
For example, a laptop containing personal data that is stolen may not need to be reported to the ICO if it is fully encrypted, because the incident is unlikely to result in a risk to the rights and freedoms of the individuals whose personal data is held on the laptop.
If your trust has ever experienced a data breach, then you’ll know that it pays to be prepared with a breach protocol.
On the other hand, accidentally emailing information about special educational needs and disabilities relating to pupil A to the parents of pupil B is more
likely to trigger a requirement to notify the ICO because it may involve
special category personal data. Whether or not the breach would trigger a
requirement to notify the affected individuals is more nuanced and may depend
on how the parents of pupil B respond. i.e. if they notify the trust that they
have deleted the email and haven’t copied it to anyone else, this may reduce
the need to notify the affected individuals. In fact, the ICO cautions data
controllers against "over – notifying” minor breaches when it is not necessary
to do so, especially when this might cause unnecessary distress.
How to deal with cyber-attacks on your service providers:
If your trust
has been affected by a cyber breach as a result of a cyber attack against one
of your service providers the trust will need to rely on its service provider
to provide it with information about the breach and to help meet its GDPR
the trust will need to establish:
- What personal data has been impacted and whether the trust is a data controller of the impacted data?
- Whether the trust’s service provider is data processor (or sub-processor) of the impacted data. (The trust should, at all times, seek its own independent legal advice on this point and not rely on the service provider’s account.
- Whether or not your service provider complied with its contractual and statutory obligations. E.g. did it delay notifying the trust of the cyber breach? If so, was the cause of that delay justifiable?
- The trust is entitled to ask what technical and organisational security measures the service provider had in place before the breach took place and what measures it has put in place as a result of the breach. If your service provider withholds this information, you should seek legal advice as this may suggest they are not complying with their contractual duty to co-operate and they may be concerned at revealing a potential root cause of the breach.
- If your service provider has failed to co-operate or take appropriate technical and organisational security measures to protect the trusts’s personal data as
required under GDPR, the trust may want to consider exercising its contractual
rights under the contract, including possibly terminating the contract.
Stone King has a team of dedicated Information lawyers with a background in contract law, education law and prosecutions. If you would like help preventing or dealing with a data breach, we can help. If you would like to sign up to hear specifically about Stone King’s Information Law updates, news and events please sign up here https://www.stoneking.co.uk/newsletter-sign-up or email firstname.lastname@example.org.
Stone King are a CST Platinum Partner