Charities targeted by the ICO over sensitive data and cyber risk.

Charities Targeted By ICO Over Sensitive Data And Cyber Risk

Cyber risks should be high on the risk management agenda of third sector organisations as incidents hit the headlines and burden small organisations with increasing frequency. Cyber risk can be grouped broadly:

Operational cyber risk

Concerns the risk to business continuity if organisations are denied their electronic systems.

Operational cyber risk can occur when users are denied access to their electronic devices.

Data risk

Never before have organisations been able to hold and transfer so much data with such speed and ease. A significant part of information cyber risk relates to the growing legal regulations and sanctions associated with data.

Financial Cyber Crime

Committed by hacking/spoofing communications such as fund transfer requests, interfering with website payment links.

Sensitive data can be stolen by hackers spoofing communications such as fund transfers.

Keeping Sensitive Data Secure

Nowadays, virtually every organisation operates electronically in some way to perform its key services, maintain an online profile, and manage the back office requirements such as accounts, payroll.

It is important to note that cyber risks are not limited to hacking incidents. Exposure to such risks can arise from employee and software errors.

Sensitive data should be kept secure to avoid fines are investigations by the ICO.

Back in 2015, the Information Commissioner’s announced an investigation into claims that an 87-year-old man’s personal details were sold or passed on by charities up to 200 times.

Although many people back then may not have considered this to be a ‘cyber’ incident, with GDPR being implemented last year, this is now considered a major breach, which if it were to occur today could see organisations facing fines of up to €20 million or 4% of their annual turnover, and civil claims brought about by each of those affected.

Digital data therefore comes with increasing legal and reputational risk.

Claims- Can you afford an ICO fine?

  • Stolen laptop- data breach and ICO fine.
  • Website vulnerability- caused data breach and ICO fine.
  • Charity website defaced- PR incident in national press
  • Ransomware attack
  • Data breach by service user who had access to employee’s phone and apps.
  • Accidental email- sensitive data sent to wrong recipient.

Cyber Risk & The ICO- BPAS Case Study

The financial, reputational and legal exposures of digital data to charities were highlighted when the ICO fined the British Pregnancy Advice Service £200,000 on 28 February 2014.

Like many charities, the BPAS held personal and sensitive data.

Information belonging to 9,900 people who had approached the charity for advice was stolen by a hacker activist who threatened to release the information.

BPAS was fined £200,000 by the ICO for losing sensitive data.

The BPAS was not aware it was storing the information, highlighting the difficulty that organisations face in tracking and controlling the information they process.

The ICO found they had failed to adopt appropriate technical and organisational measures. Despite the fine, the BPAS’s actions were commended by the ICO. The BPAS voluntarily reported the incident and cooperated with the ICO, and it took steps to protect potentially affected data subjects.

All third sector organisations should ask themselves what they would do before, during, and after suffering a similar incident and should prepare accordingly.

Managing cyber risk – ThirdSectorProtect

The UK Department for Digital, Culture, Media and Sport reports that 42% of charities have sought information, advice or guidance on cyber matters in 2018.

Charities are becoming aware of cyber risks: "42% of charities have sought information, advice or guidance on cyber matters in 2018".

Organisations should continue to look into which preventive (risk management) measures they can effectively use, just as they protect the security of their buildings and property assets.

However many of the prevailing issues are simply not preventable risks, and are becoming fuelled by dependency on IT, GDPR legislation, and a compensation culture around privacy.

Specialist cyber insurance policies offer policyholders a combination of:

  • Incident management- access to legal, cyber and PR experts in the event of an incident.
  • Your own costs including business interruption or loss of data.
  • Claims against you following an incident.

An effective insurance policy will help charities, not-for-profit and care organisations to respond to cyber incidents and add confidence to other parties to whom they provide services for, or handle data.

Contact our expert team at ThirdSectorProtect to enquire about protecting your charity from cyber risk with insurance.

Get In Touch Today: 0800 877 8277

For more information on keeping your charity protected, check out another of our posts below:

For more tips and tricks on all things related to charities, not-for-profits and community groups,  follow us on FacebookTwitter & LinkedIn