In this issue of In Perspective, Jackie Barlow, Data Protection Senior Consultant at Xcina Consulting, discusses cyber security and what additional measures are necessary over and above what is required by law. In addition, the ICO have now issued new guidance on employee subject access requests and a recent ransomware attack relating to the ‘MOVEit’ file transfer tool has affected Boots, BA and the BBC.
We take a look at why this is important and the implications for both businesses and individuals.
Find out more below.
Cyber Security: Are additional measures necessary beyond what is required by law?
- A number of different authorities recommend extra cyber security protections, beyond those based in law.
- These include The National Cyber Security Centre (NCSC), the Global Cyber Alliance, Action Fraud, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA).
- The NCSC, has issued its ’*10 Steps to Cyber Security’ guidance – which contains key focus areas for medium to large organisations.
- The NCSC offers other useful guides on passwords, bring your own device (BYOD), network encryption, phishing, denial of service attacks, ransomware attacks and cloud computing security.
- The FCA has provided its own materials for organisations operating within the regulated financial services sector. An example is its ‘Good Cyber Security – The Foundations’ publication.
- Although industry and regulatory codes/ guidance are not protections mandated in law, failure to follow such codes might still result in adverse consequences in the case of a cyber incident.
- The government and private sector have co-operated to develop cyber security standards and procedures to strengthen the UK cyber ecosystem between the government, industry and the universities.
- Industry experts have also joined forces to bring different organisations together to enhance government collaboration and promote innovation. An example is techUK (the UK’s technology trade association) which has over 800 members
Why it matters
- Cyber security is an essential part of the UK’s booming technology sector which includes hundreds of successful cyber start-ups.
- If a cyber incident occurs and there has been a failure to follow an approved or statutory code of conduct, this might be an aggravating factor when the ICO considers sanctions.
- In order to mitigate the impact of a data breach it is important to be prepared. A Cyber Security Policy is essential as is a Data Breach Response Plan.
- Where a new technology is being implemented, it is also important to complete a Data Protection Impact Assessment to ensure the risks to individuals’ personal data are assessed and mitigated.
*The ‘10 Steps to Cyber Security’ can be found at 10 Steps to Cyber Security – NCSC.GOV.UK
A ‘Code of Practice for App Store Operators and App Developers’ was produced by the government in December 2022. This sets out practical steps and details can be found at Code of practice for app store operators and app developers – GOV.UK (www.gov.uk)
The government has also provided ‘Cyber Security Guidance for Business’ at Cyber security guidance for business – GOV.UK (www.gov.uk)
ICO issues new guidance on employee subject access requests
- The ICO has issued new guidance for employers on how to respond to employee subject access requests (SARs)
- The new guidance deals specifically with requests made in the context of a grievance or tribunal proceedings.
- There are exemptions which allow employers to withhold certain information; e.g. a request might be deemed ‘manifestly unfounded’ if a worker does not genuinely want to exercise their rights or is just making a request to cause disruption.
- It’s important to note that a settlement agreement cannot override the right to make a SAR so any such provisions in the agreement are unenforceable.
- Employers do not have to disclose information about third parties when responding to a SAR request unless those individuals give consent or it is reasonable to include the information.
- Also exempt from disclosure are confidential references. If it is unclear whether references are confidential, each request must be considered on a case by case basis.
- Information relating to management forecasting or planning can be excluded from the disclosure if it might prejudice the conduct of the business. e.g. information relating to proposed redundancies.
- Information relating to planned negotiations with the applicant can be excluded, if disclosing the information might prejudice the negotiations.
Why it matters
- In 2022 more than 15,000 complaints were made to the ICO about failures to comply with subject access requests.
- Although not all complaints related to employment, it is the ICO’s view that some employers do not understand their obligations and some underestimate the importance of complying with data protection laws.
- If an employee does not genuinely want to exercise their rights or is just making a request to cause disruption, a request might be considered ‘manifestly unfounded’ and might be refused.
- However, the circumstances in which an employer can refuse to comply with an employee SAR on the basis it is manifestly unfounded are currently very limited.
- When the Data Protection and Digital Information (No. 2) Bill comes into force, it will be interesting to see if employers are able to refuse requests more easily, on the basis that they are ‘vexatious or excessive’.
The ICO has provided guidance for handling a staff subject access request at SARs Q&A for employers | ICO
MOVEit ransomware attack affects Boots, BA and the BBC
- Cyber criminals have exploited a vulnerability in the MOVEit file transfer tool.
- The tool is produced by US based company Progress Software and allows the exchange of sensitive files and data between servers, systems, applications and users within and between organisations.
- Some of the companies affected use the payroll support services provided by Zellis (who use the MOVEit software). British Airways, Boots and the BBC all use Zellis for their payroll services.
- MOVEit discovered a critical vulnerability on 2 June 2023 and asked its users to apply a workaround immediately before an official patch was applied.
- Thousands of employees were warned that their data was at risk, including national insurance numbers, bank details, staff ID numbers, dates of birth and postal addresses.
- It has been stated that the ‘Clop’ ransomware group is responsible for the cyber attack. Clop has threatened to name and shame if organisations refuse to pay a ransom. So far, no data has been posted but extortion attempts are said to be a matter of time.
- The payment of ransoms is generally discouraged. In July 2022, following a number of ransomware attacks, the NCSC and ICO wrote to the Law Society and Bar Council, discouraging the payment of ransoms. Details can be found at Letter from the Information Commissioner (ico.org.uk)
- Organisations affected by the cyber attack have been advised to install security patches but also to ‘assume compromise’ when dealing with the incident.
Why it matters
- This attack is a reminder of the importance of the cyber security posture of an organisation’s supply chain including sub-contractors.
- When implementing appropriate technical and organisational measures, organisations cannot rely on third parties’ security measures, but need to carry out due diligence themselves.
- Supply chain vulnerabilities have been at the centre of a number of cyber security incidents over the past year.
The National Cyber Security Centre released guidance on supply chain mapping early in 2023. The guidance can be found at Mapping your supply chain – NCSC.GOV.UK
The ICO has issued guidance on how to manage supply chain security at Cyber attacks! How to manage supply chain security