Gloucester City Council (the Council) was hacked by, it is reported, Anonymous. It was fined by the ICO a not inconsiderable £100,000. This seems a bit like blaming a victim. Such a fine would be enough to cripple many companies. However, it is not quite as simple as it first appeares.
The Data Protection Act places everyone who collects and uses personal data under the obligation to keep it secure. There is also a requirement to have secure digital systems, updating and replacing them when better products are available.
Given that we carry large amounts of personal information in our email marketing lists, we are more likely to be hit by hacking and ransomware. We should be taking all possible precautions with their security regardless of the fact that we are required to do so by law. A breach in security could result in a fine, loss of business, repair costs and loss of customer confidence.
The ICO highlighted the fact that the Council were using software that was known to have vulnerabilities. Indeed, the ICO had warned of these. Patches were available. It seems clear that the ICO had calculated the fine to take what seems a lack of care into consideration.
There’s no argument that if you are targeted by one of the more sophisticated hackers there’s a chance, no matter how secure your systems, that they will get through. All it takes is a momentary lack of attention from your staff, or someone logging into their account via an unsecured network, for malware to find its way onto your systems.
In emphasising the lack of due care in the case, the ICO are, hopefully, indicating that those who patch known weaknesses in systems, have up to date software and who keep abreast of the methods used to harvest personal data will be treated more leniently.
Another aspect they will check is training of staff. Ensure only expert staff are in positions where they can give access to hackers. Follow the ICO guidelines and not only will a breach be less likely, but you have mitigation.
If you think you have been a victim don’t try and cover it up, regardless of the fear for your reputation.