Revised guidance from the Information Commissioner’s Office (ICO) on Right of Access and Subject Access Requests provides additional guidance on stopping the clock for clarification, what is a manifestly excessive request, and what can be included when charging a fee for excessive, unfounded or repeat requests.

Two monetary penalty notices issued by the ICO following data breaches provide useful information on root causes which are informative for professional services firms.

British Airways was fined £20m. The causes of breaches include failure to use multi-factor authentication (MFA), failure to address known Citrix security issues, failure to apply user access management (the principle of least privilege) and failure to implement application whitelisting or blacklisting. Other measures which could have been implemented included penetration testing and logging access to certain files, monitoring of failed log in attempts and monitoring of guest accounts.

Marriott International Inc was fined £18.4m. The notice identifies risks from acquisition of other businesses, in this case Starwood, which may have undiscovered security vulnerabilities – equally applicable to law firm mergers.

Again, MFA issues featured significantly, though these were not taken into account in fixing the penalty due to assurances on which Marriott had relied. Factors considered included insufficient monitoring of privileged accounts, insufficient monitoring of databases, control of critical systems (through whitelisting), and lack of encryption of payment card data and passport numbers.

Marriott’s submission that Article 33 of GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO was rejected: instead, a data controller must be able reasonably to conclude that it is likely a personal data breach has occurred.

The SRA has published a useful webinar on cybercrime.

Links to the above are on

‹ Back to Publications