Learning from the British Airways and Marriott International fines: What does the GDPR standard of "Appropriate Technical and Organisational Measures" actually mean?
Published on 29th Aug 2019
This article was first published on ITPro:
Learning from the British Airways and Marriott International fines: Part 1
In July, the sea-change in data protection enforcement became abundantly clear when, in the space of two days, the Information Commissioner's Office (ICO) announced its intention to fine British Airways £183.39 million and Marriott International £99.3 million in relation to their high profile data breaches.
Indeed, thanks to the GDPR and a wave of high profile data breaches and cyber-attacks, the cyber-security industry is booming. Every professional services firm seems to have a solution for data breaches and cyber-attacks, whether in preventing them or managing them. But, as yet, no-one can definitively explain what the crucial words "appropriate technical and organisational measures" actually mean in the eyes of the regulators that will be handing out enormous fines for failure to meet that requirement in the context of data breaches.
We may get a better idea as to what this standard is when the ICO releases its reasoning in the British Airways and Marriott cases. But, for the time being, we need to rely on established practice and pre-GDPR decisions. This article will explore the concept and suggested measures that all organisations need to consider taking.
"Appropriate technical and organisational measures"
The requirement for companies to take "appropriate technical and organisational measures" to guard against inappropriate data use and misuse is not new. The same standard existed under the old Data Protection Directive regime from 1995. However, this phrase is one of the lynchpins of the GDPR regime; it features 24 times in a variety of contexts. Compliance with this central obligation, and a record of that compliance, is key both to preventing successful cyber-attacks and minimising regulatory exposure. Understanding what it means is crucial when dealing with regulators following a data breach.
Moreover, data controllers and processors are not just required to take “appropriate technical and organisational measures” (Article 32 of the GDPR), but also to demonstrate their compliance through extensive accountability obligations (Article 24 of the GDPR).
A similar, but slightly different, phrase is also used in the Security of Network & Information Systems (NIS) Regulations, which apply to the operators of essential and digital services. The NIS Regulations, which implement the NIS Directive, require operators of essential services to take "appropriate and proportionate technical and organisational measures" having regard to the state of the art.
There is no definitive answer as to what "appropriate technical and organisational measures" (or the phrasing in the NIS Regulations) means. But we can, by reference to the enforcement landscape and limited regulatory guidance, form a view as to what it means in practice and how the standard can be met.
Consequences of non-compliance
We need look no further than the ICO's intended fines for British Airways and Marriott International to see the potential consequences of breaching the GDPR.
The GDPR increases maximum fines from the previous £500,000 maximum to €20 million or 4% of worldwide annual turnover (whichever is higher) for the most serious breaches. This includes failures to comply with data protection principles, the rights of data subjects, or the rules in relation to transfers of data to third countries. For breaches of the obligation to take "appropriate technical and organisational measures", the maximum fine is lower: €10 million or 2% of global turnover (whichever is higher) (although, in practice, a serious breach is likely to impact on the rights of data subjects too, such that the incident would be subject to the higher fine level).
For those companies caught by the NIS Regulations, there is the potential for 'double jeopardy' and two sets of fines under the two regimes. The maximum level of fine under the NIS Regulations is £17 million for material contraventions.
What technical measures should data controllers be implementing?
The security landscape is constantly evolving and the requirements of an organisation will vary hugely depending on its sophistication. In recent years, the ICO has criticised and fined a number of companies for failing to comply with a variety of technical requirements.
For example, in June 2017, the ICO fined Boomerang £60,000 for failing to take what the ICO categorised as "basic steps" to protect itself from cyber-attacks. Boomerang was the operator of a video rental website developed by third party. The website contained a coding error in the log-in page which meant that an attacker could use SQL injection to gain access to username and password hashes for another section of the site.
Further, one of the passwords which could be used to obtain escalated access was a simple dictionary word (and, therefore, easy for an attacker to 'brute force'). The attacker used this escalated access to upload a malicious webshell, and, ultimately, download text files with cardholder details. In its decision, the ICO criticised Boomerang for failing to carry out regular penetration testing; using passwords susceptible to brute-force attack; and not keeping its decryption key secure.
Companies ought to be thinking about adopting the below measures (some of which are both technical and organisational in nature). Where companies decide that any given measure is not appropriate to their size or the sensitivity of the data which they hold, then they should consider how that decision should be recorded.
Data Access Controls
Companies must consider how they control access to the personal and sensitive data that they hold. It may be appropriate to restrict access on a ‘need-to-know’ and ‘least privilege’ basis, and require authentication (single factor or multifactor, depending on the information being accessed). Further points to think about include managing the escalation of privileges, adjusting the access privileges for role changes or terminations, monitoring administrator accounts and whether access to critical systems should be treated differently.
Depending on the nature of the data held, it may be appropriate to store different types and categories of data separately, both to control access to different systems and to minimise the potential risk to information in the event that any one system is compromised.
Password Controls and Management
Password management needs to be carefully thought through, with appropriate protocols for passwords which cover complexity, how often and in what circumstances they should be changed, and where or whether they are recorded.
Companies must think about what data needs to be encrypted (e.g. passwords, user names, security questions) and then what standard of encryption should be applied. Encryption standards evolve, so companies should consider appointing someone with responsibility for monitoring the ongoing adequacy of the encryption used.
As part of any data mapping exercise (considered further in part two), companies ought to consider whether any data can be anonymised technically, whilst remaining of use (and, if so, how this can be achieved and for which categories of data).
Availability Control / Backups and Archiving
Under the GDPR, the definition of a "personal data breach" includes the accidental destruction, loss or alteration of data. This means that most companies will need to have in place some type of programme of regular back-ups and archiving (and, in devising that programme, consideration will need to be given to appropriate frequency, storage location (i.e. onsite or offsite) and the ease of recovery).
However, and as against the need to ensure availability, companies will also need to bear in mind their obligation to ensure that they are able to erase personal data when requested to do so by data subjects (Article 17 of the GDPR). Some methods of archiving / back-ups make compliance with Article 17 of the GDPR impractical or impossible.
Logs (Input Control) / Auditability
It is also important to consider whether it is appropriate to keep identity critical logs, showing who accessed what, and when, for a period of time (e.g. 6 or 12 months). Such identity critical logs should be stored securely, and separately to any data which might be targeted for attack. Companies must then decide how often those logs should be audited, either in real-time or at intervals.
For companies with vast amounts of data, it will usually be appropriate to at least consider the use of Security Information and Event Management (SIEM) software, which provides for 24/7 network review for anomalies and suspicious activity.
For most companies, some kind of regular testing (such as penetration testing or vulnerability assessments) will be appropriate by way of 'health check' and to ensure that best practice is being adhered to and maintained. For many companies, yearly penetration testing will be appropriate. Once that has been carried out, companies will need to be very careful to ensure that any recommendations are appropriately actioned.
All companies will need to have properly configured firewalls in place.
Secure hardware and software configuration
When introducing new hardware or software (or reviewing existing hardware and software), companies should take care to ensure that the configuration of those additions is carefully managed (for example, default passwords should be changed). Further, companies should think carefully as to whether unused software and services should be removed.
Companies should have in place appropriate anti-virus or anti-malware productions regularly scanning their networks. This software (and all other software) will need to be kept up to-date and properly configured to scan relevant areas.
Software updates and patches
Companies will need to have in place a system for ensuring that critical patches and software updates are implemented in a timely manner, and should also consider how they monitor for vulnerabilities in commonly used software. It is worth noting that the National Cyber Security Centre, which is GCHQ's cyber arm, often publishes information about new vulnerabilities.
Should companies benchmark against international standards?
Depending on the categories of “personal data” which a company holds, a company may be obliged (by legislation other than the GDPR) to meet certain international standards. Even where there is no legal requirement to benchmark technical measures to an internationally recognised standard, companies may be contractually required to do so (for example, by their customers) or they may choose to do so as a means of demonstrating compliance and/or competitive advantage. Examples of internationally recognised standards include Cyber Essentials (PLUS), ISO 27001 and SEC OCIE, to name but a few.
Keeping up with guidance and best practice
For all organisations, but especially for large ones, it will be important to ensure guidance and industry best-practice is regularly monitored. The ICO will take into account any failure to implement publicly available guidance issued by Government bodies when considering whether there has been a breach of the requirement to take appropriate technical and organisational measures.
This article has reviewed the key technical requirements that companies must consider in order to be GDPR compliant, as well as the potential consequences of failing to do so. However, there are also a number of organisational measures that must be taken into account, and part two of this article will discuss such measures. It will also consider GDPR compliance in the context of mergers and acquisitions and how companies should deal with the ICO post-breach.