04 August, 2023
The Information Commissioner (ICO) has recently published details of a reprimand to "My Media World Limited t/a Brand New Tube" (BNT) following an incident where BNT's systems were subject to a cyber-attack.
The reprimand states that on the 14th August 2022, an unauthorised third party gained access into BNT's systems and extracted the personal data of 345,000 individuals. The nature of the data accessed contained names, email addresses and passwords of 345,000 of website users. BNT have not been able to identify the specific cause of the incident.
The ICO has provisionally decided to issue BNT with a reprimand in respect of the following breaches of the UK GDPR:
Article 32 (1) UK GDPR - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk."
Article 32 (1) (d) UK GDPR states that this includes:
"a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing".
The reprimand states that the ICO has made the following provisional findings:
The ICO has recommended that BNT should take the appropriate steps to ensure that it adheres to the UK GDPR more specifically Article 32 (1) and 32 (1) (d) of the UK GDPR. The ICO has made the following recommendations:
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
This reprimand highlights the importance of data security and demonstrates that the issue of data security is not simply one for the IT team or third party provider alone. In order to demonstrate accountability, organisations must ensure that there are systems in place to ensure that there is sufficient oversight of data security so that the board is not simply relying on assurances provided by one party.
A fully copy of the reprimand is available to view here.
Our Data Protection team can assist organisations with handling personal data, we can assist with producing a Data Protection Impact Assessment (DPIA) which would assist organisations with identifying any data risks and minimising the potential of data protection risks amongst various other services to assist your organisation in ensuring that it is adhering to the UK GDPR.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here