04 July, 2019
The after effects of a deliberate cyber attack continue to be felt by the UK's largest provider of forensic analysis services. It has come to light that UK police have frozen all work with Eurofins, who conduct DNA analysis, toxicology, ballistics and computer forensics work for police forces, as a result of a ransomware attack on their systems on the 2nd June 2019.
Ransomware is a type of computer program that infiltrates a computer system and threatens to publish the victim's data, over the Internet for example, or block their access to it by encrypting files and therefore prohibiting the company from operating.
A National Police Chief's Council (NPCC) spokesman said that all work with Eurofins was suspended on the 3rd June, the day after the actual attack, when they learned of the ransomware attack. The company has been told to return any casework that had not been started.
As a result of the attack, police forces throughout the UK had a limit placed on the amount of forensic work they can put forward for processing as Eurofins were responsible for 50% of all outsourced case work. A police Gold Group response has been set up, which only occurs in the case of major incidents or emergencies, to manage the backlog in work created.
Regarding this development, the Information Commissioner's Office (ICO) Deputy Commissioner for Operations, James Dipple-Johnstone has said:
"The ICO has received a report that Eurofins Scientific, which provides forensic and scientific services to a number of UK law enforcement agencies, has been subject to a data breach.
"We are working with partners and other stakeholders, nationally and internationally, to establish the scale and extent of the incident and to ensure that the interests of UK citizens are protected.
"At present the Luxembourg Data Protection Authority, Commission Nationale pour la Protection des Données (CNPD), is currently the lead data protection authority for this investigation. As Eurofins has its main European establishment in Luxembourg, we have offered our help under the cooperation provisions of the GDPR."
The NPCC said it was unclear how long it would be before Eurofins could give assurances that its systems were safe or whether any forensic data held by the company had been affected or accessed by the perpetrators of the cyber-attack
Technical and security measures
The sixth data protection principle, as set out in the General Data Protection Regulation (the GDPR) states that personal data shall be:
"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."
Organisations must have appropriate security measures in place to ensure that personal data is not compromised. The GDPR or the Data Protection Act 2018 (DPA 2018) do not list specific security measures that you should have in place but requires you to have a level of security that is 'appropriate' to the risks presented by your use of personal data. What is 'appropriate' will need to be considered in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
72 hours ticking clock...
Notifying the ICO is now mandatory for breaches, such as a cyber attack, if they pose a risk to a data subject's rights or freedoms. If you decide that you do not have to report the breach to the ICO you must be able to show how you have justified your decision (e.g. record the justification).
There is substantial published guidance from EU regulators on what constitutes a risk to rights and freedoms, though in essence this can be simplified to making an assessment of the likelihood of harm against the severity of the harm that would be caused.
Notification to the ICO must be made within 72 hours of detection of the breach, not from when the breach actually occurred. If you are hacked over a weekend when no one is in the office, and the breach is detected at 9am on a Monday morning, then this is the point from which the timer starts.
Even if a breach is deemed non-reportable to either the ICO or the data subject(s), a log of all breaches needs to be kept, in a similar vein to a near miss accident log for health and safety purposes. This should include what happened, why the decision was made to not report the breach and what steps have been taken to prevent a similar breach from occurring in the future.
Failure to notify can lead to enforcement action, including large fines, by the ICO so the decision of whether to notify or not is of paramount importance.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.