ICO decision a warning to large retailers: are you meeting its cyber security expectations?

Written on 17 Jan 2020

In last week's fine against the owner of Currys PC World and Dixons Travel, the ICO set out the minimum cyber security measures large nationwide retailers (and organisations of similar size and profile) should take.

This article sets out those measures and key questions that IT departments, in-house legal teams, and DPOs should be considering as a result of the ICO's decision. For a more detailed analysis of the ICO's decision, please read our in-depth briefing note here.

What happened?

The ICO has issued DSG Retail Limited, the owner of Currys PC World and Dixons Travel stores, with a sizeable fine of £500,000 under pre-GDPR legislation. The decision sets out the ICO's expectations as to the "appropriate technical and organisational" measures companies must take to protect personal data. As such, the decision is very relevant to how the equivalent standard will be applied under the GDPR.

What measures should companies take?

The ICO's decision makes clear that, by mid-2017, organisations such as Currys PC World and Dixons Travel should have had at least the following technical and organisational measures in place:

  1. network segregation;
  2. local firewalls;
  3. software patching and updates;
  4. penetration testing and vulnerability scanning (at regular intervals);
  5. application whitelisting;
  6. logging and monitoring systems;
  7. point-to-point encryption;
  8. privileged account management; and
  9. adherence to industry standard hardening guidance.

These measures likely constitute the minimum appropriate technical and organisational measures that organisations of a similar size and profile should have in place. Organisations that depart from those measures will need to have good reasons why those measures are not appropriate to them.

Practical lessons

The ICO has also made clear that it will ask the following questions of any organisations that it is investigating following on from a breach:

  1. Have you implemented specialist advice given to you (for example, advice received following on from a penetration test or any external assessment of your security)?
  2. Have you implemented publicly available best practice / external guidance?
  3. Have you complied with industry standards?
  4. Have you complied with your own internal policies?
  5. Are you confident that you can proactively identify breaches?
  6. Have you learned lessons from issues experienced by your group companies?

Our more detailed analysis of the ICO's decision sets out the importance and relevance of each of these questions, along with further practical guidance.

Osborne Clarke comment

Whilst the ICO's decision was made under the pre-GDPR legislation, it contains important findings for all organisations and especially those with similar profiles to DSG. There is now a growing body of regulatory guidance from data protection regulators across Europe on these issues and this will continue over the next year or so as they work through a backlog of post-GDPR breaches. Companies that don't heed that guidance will not just face potential fines but also follow-on litigation.