The GDPR Enforcement Tracker website shows a dramatic increase in the number of fines being issued for data breaches in recent months. Across Europe only 75 fines were levied in the first two years after GDPR came into force, or about 3 fines per month. However, in the last 9 months a further 72 fines have been issued and half of these were in the last 3 months! Indeed the Swedish regulator issued 8 fines, totalling €6.8m, in December 2020 alone.
Romania and Spain remain the most active regulators, with 28 and 16 fines respectively; whilst Italy has moved into third place with 12 fines. Overall, across the 27 countries of the EU and the UK, 24 countries have now issued at least one fine under Articles 32, 33 or 34 of GDPR.
The UK remains a bit of an outlier, compared with other large economies, with the Information Commissioner’s Office (ICO) having only issued 4 penalties so far. However, these include 3 out of the “Top 10” largest fines for data breaches, namely:
It is not clear why the ICO is taking a different approach to the majority of EU regulators; and whether this will continue from October 2021 under the next Information Commissioner. It is also not clear whether the recent increase in the number of fines is a temporary blip, or represents a new normal. Regardless of these unknowns, the fact remains that data breaches are extremely costly; both in financial and reputational terms. Follow the link to the Information Security section of our website to see how we can help you to minimise the risk of an information security incident.
At approximately 7pm on Friday 9th February 1996, a truck-bomb exploded close to South Quay DLR station, killing two people and injuring over 100 others. At the commemoration yesterday to mark the 25th anniversary, survivors commented on how they feel forgotten. Certainly the incident seems to have faded in the public consciousness faster than the bombings at the Baltic Exchange and Bishopsgate a few years earlier, or the Manchester Bombing four months later. This is peculiar, given the loss of life and the attack’s political significance as the end of the Provisional IRA ceasefire.
Perhaps the relative lack of awareness of the Dockland Bombing speaks to an early success of business continuity management. Presumably, in targeting Docklands, the Provisional IRA sought to replicate the success of previous attacks on the City of London; and cause massive disruption to the financial services sector. However, firms in the sector had learnt quickly from those previous attacks and had invested heavily in their disaster recovery capabilities. Thus, despite destroying a Midland Bank building and South Quay Plaza I and II (and causing £150m of damage), disruption to businesses was kept to a minimum. Sadly, the same could not be said in Manchester four months later when an even larger truck-bomb devastated the city centre.
The 7/11 bombings, nearly a decade later, demonstrated that technical disaster recovery is only part of an overall solution; but the resilience demonstrated by businesses impacted by the South Quay bomb is still an important milestone in the evolution of business continuity management. So, as we remember the victims and survivors of the attack, perhaps we can also take some professional pride in the fact that the incident is not as well known as it really should be.
Nearly a week on from Sky News breaking the story that Serco had been the victim of a ransomware attack, details of the incident are still very sketchy. From a UK perspective, we are being reassured that the attack has only affected systems on mainland Europe; so that the NHS Test and Trace programme is not impacted. That may be so, but the fact that the attack succeeded in one part of Serco does suggest that other areas could be vulnerable. More broadly, it prompts further questions about the robustness of the controversial procurement process under which Serco was awarded the Test and Trace contract: what assurances on information security were required?
The restriction to mainland Europe is presumably less reassuring to some other major Serco customers such as NATO, the Belgian Military and the European Space Agency. Serco appears to have assured these key customers that their data has not been compromised, but it is unclear what this assurance is based on. Meanwhile, Serco has remained tight-lipped publicly, declining to comment on the impact of the attack or whether they have paid any ransom.
Serco’s strategy of trying to minimise the impact is reminiscent of the UK Government’s response to the news of a massive data loss from the Police National Computer only three weeks ago. The Home Office’s initial claim that only 150 000 records had been deleted had to be revised upwards shortly afterwards (and may yet rise further). Only time will tell if Serco’s claims of “nothing to see here” hold up to scrutiny.
We first blogged about Covid-19 a year ago. That blog post recalled the lack of reliable information upon which to make decisions during the ‘flu pandemic of 2009; and predicted that, once again, this pandemic would be characterised by deep uncertainty. I never suspected when I wrote it that, one year on, we would still understand so little; such that our only viable response to the recent sharp rise in case numbers in the UK is the blunt instrument of another lockdown.
Whilst I cautioned in January 2020 that we would need to be patient and wait for reliable data on how the pandemic was likely to progress; I had assumed that, by this stage, we would have a very detailed understanding. We have, of course, learnt much over the last 12 months about reproduction rates, incubation periods, and rates of hospitalisation and death. Yet, even now, much is still unclear; including important issues for managing risk within our own organisations, such as the extent to which the disease is spreading through contaminated surfaces and objects (as opposed to directly from person to person).
Whilst Covid-19 has been an extreme example, the events of the last year have been a salutary reminder of just how illusive certainty is in any crisis situation. If we can all take that learning with us when we next have to deal with a crisis, all the awfulness of the pandemic will at least have done some lasting good.
I have read many books about decision-making over the years, mostly from a perspective of psychology/behavioural economics. Some have focused on the particular challenges of decision-making in a crisis; whilst others are more general in their outlook, but still generally contain useful nuggets for crisis management. I have to say that this book by Roger Estall and Grant Purdy is quite unlike any other!
The main body of the book is an exposition of the authors’ grandly-titled “Universal Method for Decision-Making“. Whilst there are many useful common-sense observations contained therein, based on the authors’ extensive consulting experience; it is arguable if it really justifies being called a “method”. For example, there is a whole chapter on “Conversing” effectively. The chapter dealing with assumptions and uncertainty is probably the most interesting; and is clearly relevant to the practise of crisis management. However, much of the book is formatted as a series of appendices, of which two particularly struck me…
Appendix B, “Anticipating the Unexpected“, consists largely of a blistering attack on “the faulty rationale of so-called Business Continuity Management“. Which, according to the authors, “was invented as a catchy label for a narrow protocol intended only to provide a blueprint for responding to a disruption should it occur.” I always thought (and ISO 22313 seems to agree) that reducing the likelihood of disruption through an effective risk assessment was a critical part of the business continuity management process; but I now stand corrected.
This then broadens out into an attack on “The ‘Risk Management’ Millstone” in Appendix C. Many of their criticisms of the way that risk management is frequently implemented, particularly by large consultancies, is entirely valid; but that does not mean that it cannot be done well. In particular, they cite the examples of the failure of Enron and the crashes of Boeing 737MAX aircraft as proof that risk management does not work (not just that it was implemented very badly in these organisations). Having criticised risk management for the use of confusing terminology, the authors propose instead to reduce uncertainty by embedding “secondary elements” into each decision. They conclude that “The universal method of decision-making enablers Deciders to achieve sufficient certainty: there is simply no need for any version of ‘risk management’.”
As you may have gathered by now, I wouldn’t really recommend this book.
More details have emerged in the last couple of weeks of the significant impact of the ransomware attack on the Scottish Environment Protection Agency (SEPA) that began on Xmas Eve. Nearly 4 weeks on, it has emerged that the email system is still down and that emails submitted since the attack began cannot be accessed. It is not even clear if the various IT systems that have been affected can be restored, or will ultimately have to be replaced.
It has also emerged that 1.2Gb of data has been stolen. Whilst this is a small amount by the standards of modern data breaches, SEPA have advised it includes information relating to businesses, procurement, projects, and staff. The motive for the attack remains unclear. SEPA states that the attack is likely to be the work of “international serious and organised cyber-crime groups” and there has already been at least one ransomware group has claimed to have stolen data from SEPA.
SEPA is to be commended for the way in which it has recovered priority services, such as flood forecasting and on-line reporting of pollution incidents, in this difficult situation. However, following the targeting of Hackney Borough Council in October 2020, it is a concern that another important public-sector organisation has been impacted in this way.
Many of us woke up in the UK this morning to the story that, unbelievably, 150 000 records had been erroneously deleted from the Police National Computer. The data loss, which occurred during a regular weekly purge of data, has been attributed to a coding error which has now been rectified. Reassuring as this may be in the short term, it does raise the question of how many other “coding errors” remain undetected.
Mistakes like this do happen, and will continue to do so; but one would have assumed that the data could simply be restored from a backup. However, the fact that the Government has still not said that the data has been recovered, suggests that the process is not as simple as one would imagine. What sort of information security management framework is in place at the Home Office?
It is also interesting to note the Government’s crisis communications response. There has been a repeated emphasis on the belief that “…the loss relates to individuals who were arrested and then released with no further action”; as if this makes it OK. There is no particular reason to believe that a loss of data relating to individuals who had been convicted of very serious offences could not have taken place in a similar manner.
Where organisations focus on trying to minimise the seriousness of information security incidents like this; I am always sceptical about how seriously they are committed to a thorough root cause analysis, and to implementing the necessary changes to their information security practices. Absent this commitment, history has a tendency to repeat itself.
Sadly, there has been no shortage of stories of businesses struggling with Covid-19 in the last year. However, I was intrigued by the story this week about Frontier Development experiencing delays in the release of their much-anticipated Elite Dangerous Odyssey. One would have imagined that developing video games would be one of the industries that would be least affected by Covid-19; but the company specifically cited the difficulty of coordinating activities across a large project development team when almost everybody is home working as the reason for the delay.
There has been much talk over the course of 2020 about how effective home working has been. Indeed, many commentators have predicted that large swathes of the workforce will never return to a conventional office setting again. However, evidence to back up the claims for the effectiveness of homeworking seems pretty scarce. Nobody I have talked to has actually attempted, in any systematic way, to measure the effectiveness. Even if they had attempted to; with many organisations experiencing much reduced levels of demand it would be impossible to say if current home working arrangements would cope with normal levels of activity. My own experience, of invoices taking significantly longer to be paid over the last few months, suggests that maybe home working isn’t actually as efficient as all that.
Clearly, we will be battling Covid-19 for some time to come; and home working will be part of life for many of us for a while yet. Undoubtedly, when we emerge at the other side, much will have permanently changed about the way we live and work. My suspicion though is that the shift towards home working will be much less pronounced than many people have predicted. Quite apart from arguments about business efficiency; the last few months have also exposed a range of social, health and wellbeing issues around home working.
I suspect that, as business continuity professionals, we will still be contingency planning for loss of office space for some time to come. Hopefully though, lessons learnt from home working through Covid-19, will enable us to plan much more effectively for this in the future.
As usual, at this time of the year, we like to review the data on product recalls in the UK. Annual data for recalls of food products (from the FSA website) and electrical products (from the Electrical Safety First website) are shown below.
Despite my comment a year ago that “the figures are pretty low and fairly steady” for food recalls; looking at the graph now I would have to conclude that there appears to be an overall upward trend. It is difficult to say for sure, given all the year-to-year variation; but it looks like numbers have roughly doubled in the last ten years!
It’s somewhat harder to make any sense of the figures for electrical product recalls. However, it’s surprising to see that recalls in both categories last year were up on 2019, despite the huge reduction in economic activity because of Covid-19.
As ever, the purpose in our annual review is not to analyse the root causes or to make predictions for the future. We just want to remind people that being prepared to manage a product recall is part and parcel of doing business in many sectors. Even as we wrestle with Covid-19, we must not forget about the many other forms of disruption to which we are vulnerable.
It’s always great to see a new book on crisis management, and I was particularly interested to see this one as I used to run crisis management training courses with Jonathan Hemus some years ago. One of the most common problems with books that purport to be about crisis management is that they really just talk about crisis communications; so it was great to see the author repeatedly emphasise the point that crisis communications is only ever part of an overall crisis response.
The book is at its best when Jonathan draws on his extensive experience with a broad range of clients to paint a vivid picture of what good (and bad) crisis management looks like; particularly in some of the early chapters. References to a number of recent crises help bring this discussion to life. The two later chapters on crisis management exercises also bring that topic to life and contain much useful guidance. The book is weaker though when it attempts to generalise, with examples and statistics apparently cherry-picked to support particular claims about the impact of crises and why some firms perform better than others.
My main criticism of the book is the way in which it appears to position crisis management as a separate, stand-alone process or system within the organisation. Despite discussing the relationship with other disciplines in Chapter 2; when it comes to talking about developing a “crisis management plan” in Chapter 8, no reference is made to these other disciplines. In particular, there is no attempt to explore the relationship between the “crisis management plan” and the “incident management plan”, which is an integral part of any business continuity management system. Thus, it appears, one could have completely separate command structures and documentation for dealing with different types of incident within the same organisation. I have always found it more helpful to think of crisis management as an organisational capability (developed through training and exercising), rather than a separate process with its own extensive suite of documents.
Overall I found the book very readable, and I am sure that it will achieve its stated aim of encouraging and giving confidence to senior managers new to the field of crisis management. I would just urge readers to explore some alternative viewpoints before getting into the details of implementation.