Managing cyber risks: key lessons from the Interserve decision

This morning, the Information Commissioner’s Office (ICO) announced that it had fined Interserve Group Limited (Interserve) £4,400,000 for breaches of the UK GDPR which came to light following a May 2020 cyberattack. This is the fifth enforcement decision from the ICO since Commissioner John Edwards took office at the start of the year and it contains some clear lessons as to how the ICO expects organisations to handle cyber and data risk.

1. The ICO expects all organisations to stay on top of cyber security standards and practices, even if (like Interserve) they are a B2B business and even if they are facing financial challenges. The ICO emphasised that it expects organisations to take account of relevant industry standards of good practice and publicly available guidance, expressly referencing the ISO27000 and NIST series as well as guidance from the National Cyber Security Centre and the ICO itself.  
2. While the cyberattack affected numerous companies within the Interserve Group, the ICO directed the fine to Interserve, as the parent company, on the basis that it was ultimately responsible for making decisions on data protection and information security. This is consistent with enforcement against other large groups, such as BA and Marriott. It is essential that organisations are clear about where and how these decisions are made and who owns cyber and data risks – and that they can evidence this to the ICO if challenged or transaction counterparties (e.g. in an M&A scenario).
3. The ICO acknowledged the extensive remedial efforts made by Interserve to address the impact of the cyberattack and the action it took to mitigate the risk of harm to data subjects and provided a substantial reduction in the penalty ultimately imposed as a result. These remediation efforts also enabled Interserve to operate its business without substantial interruption as a result of the cyberattack and to subsequently carry out a series of significant M&A transactions without undue impact.
4. The Interserve decision also makes clear that there is limited ability to change the past and prior data incidents (and any unaddressed remediation efforts from such incident) will be taken into account as aggravating factors. This is consistent with other decisions (and the ICO’s draft enforcement guidelines) and shows the ICO is increasingly focused on organisations having the right governance and management systems in place to safeguard data. The Commissioner also stated (somewhat forcefully) that he considers the biggest cyber risk to be complacency within an organisation and has warned that organisations will face fines if they fail to monitor for suspicious activity on an ongoing basis, act on warnings, update software and train their staff.

With cyberattacks on the rise and organisations handling more data than ever before, this latest ICO decision is another reminder that it is essential that organisations can demonstrate that they have considered relevant guidance on data and cyber risk, how that applies to their business and documented key decisions taken to safeguard data.

Slaughter and May advised Interserve on its response to the cyberattack and the subsequent ICO investigation.