Cyber-attack prompts charity trustees to reconsider their duties

The Information Commissioner’s Office (the “ICO”) announced last week that it was fining a religious charity, The British and Foreign Bible Society, £100,000 under the Data Protection Act 1998 (the “DPA”)[1]. In 2016, the charity’s computer network was compromised as a result of a cyber-attack. The ICO found that the attack was successful because the charity had failed to take measures to ensure that its computer network was adequately protected.

An easy-to-guess password allowed hackers to access a service account on the charity’s internal network. Ransomware was deployed and the hackers secured access to the personal data of 417,000 of the Society’s supporters. Some files were also transferred out of the network.

The ICO commented that the charity had exposed its supporters to possible financial or identity fraud as well as exposing the religious belief of its 417,000 supporters.

An organisation’s responsibility to take measures to protect its computer network is set out under Principle 7 of the DPA. Principle 7 requires that appropriate technical and organisational steps are taken to prevent unauthorised and unlawful processing of personal data.

The ICO acknowledged that whilst cyber-attacks are a criminal act, The British and Foreign Bible Society had failed to comply with Principle 7. The ICO’s Head of Enforcement, Steve Eckersley, said that “organisations need to have strong security measures in place to make it as difficult as possible for intruders“.

Charities would do well to take note of the ICO’s decision because many charities have very few securities measures in place. The Cyber Security Breaches Survey 2018 found that 73% of the surveyed charities with annual incomes of more than £5 million had fallen victim to cyber attacks or breaches in the last year. Despite that, only 21% of the surveyed charities had a cyber security policy in place.

The ICO’s decision places a greater onus on a trustee to assess the appropriate level of security required and then to ensure that the necessary measures are implemented. This may necessarily involve the diversion of charitable funds. Nevertheless, by taking adequate steps to protect their computer networks and by the ability for charities to show they take seriously the protection of personal data of donors and other contacts, charities will not only avoid fines from the ICO but will also ensure the on-going support of their donors thereby enabling the continued operation of the charity.

Cyber security tips for charities

What are “appropriate technical and organisational steps” for charities to consider? Although this is not definitively prescribed, the ICO has provided guidance to help organisations understand their responsibilities. The UK’s National Cyber Security Centre (NCSC) has also recently published advice specifically aimed at protecting the charity sector and joint advice with the ICO on security outcomes as they relate to GDPR.

Among this, tips include:

  • conduct a risk analysis to understand the appropriate level of security required
  • maintain and enforce an information security policy
  • use technical controls such as firewalls, antivirus software, and access controls
  • ensure appropriate security settings are enabled and software is updated
  • use encryption where appropriate
  • take regular backups of important systems.
  • control the use of external devices
  • use complex, unique passwords and two-factor authentication
  • change default passwords on devices and software
  • educate staff on how to avoid email phishing attacks

Some of these tips could have large costs associated with them, such as purchasing of new software and technologies. However, changing default passwords, using built-in security measures, reminding staff about security and implementing security policies, require only initial time outlays and ongoing management. Simple measures can make a significant difference and may go some way to demonstrating to the regulator that an organisation has taken data protection seriously.

[1] The fine was issued under the DPA because the breach occurred in 2016, prior to the General Data Protection Regulation and Data Protection Act 2018 coming into effect.