A recent investigation by the Information Commissioner’s Office (ICO) highlights an interesting aspect of the current system. Although the ruling against Yahoo! was announced on 12th June 2018, three weeks after the enactment of the General Data Protection Regulation (GDPR), the incident was considered under the Data Protection Act 1998. This is because the breach actually occurred in November 2014, although it was not publicly disclosed until September 2016, almost two years after the attack compromising 515,121 accounts had taken place. Investigated under the DPA, the fine was a modest £250,000. Naturally this would have been significantly larger had it been judged under GDPR.
However, this does mean that today’s organisations can take their foot off the gas. At the time of the investigation taking place, although it was considered under the DPA, the ICO still expects to see adherence to GDPR going forward.
This isn’t ‘new’ news to the SRM team. We had anticipated the issue and had submitted this question to the ICO months ago:
If a breach occurred before 25th May but is not discovered until after GDPR becomes effective, will the breach be considered under the DPA 1998 (when it occurred) or under GDPR (when it was discovered)?
We received this reply from the ICO:
It is likely in this instance that the breach would be assessed under the DPA, the legislation in force at the time of the breach. However, we would expect the processing of information at the time the breach was discovered to be GDPR compliant. Therefore any lessons learned or actions taken as a result of the breach would need to be in line with the GDPR.
So what does this mean in simpler terms? It means that from 25th May 2018 every aspect of an organisation’s networks and infrastructure is required to be managed in line with the requirements of GDPR. This applies even if the actual breach is judged under the rules of the old Data Protection Act (1998).
The most important point is that a notifiable breach must be reported to the ICO without undue delay, but no later than 72 hours after becoming aware of it. So even if a breach actually occurred prior to 25th May, as soon as the breach is discovered, the new 3 day reporting timescale must be adhered to. The organisation’s systems will then be scrutinised through the prism of GDPR.
Should it not be possible to obtain all of the necessary information within 72 hours, the required information can be provided in phases, as long as the investigation is conducted as a priority. The breach still needs to be reported to the ICO when the organisation becomes aware of it, and they must submit any further information at their earliest convenience.
Having a Retained Forensics engagement in place makes the whole process significantly more efficient. Not only will they have a detailed knowledge of an organisation’s systems and networks, they will have helped to set up breach notification protocols and mitigation strategies; all of which will already be in line with the requirements of GDPR.
For more information on GDPR see our website.
To find out more about Retained Forensics, register for SRM’s free webinar: Incident Response & Forensic Expertise: would your business survive a cyber-attack or security breach?
Or read our blog: