Cyber-crime, including scenarios where ransoms are demanded to decrypt data or destroy improperly taken copies, is a fact of life. The recent news that Blackbaud was subject to an attack comes as a reminder that the charity sector is not immune. The scenario, that a cloud provider is attacked but recovers data, is a challenging one for trustees. It is specific enough to engage a very particular application of rules and requirements but at the same time is the sort of scenario for which ideally they should be prepared.
Here we look at some key issues for charities to consider.
Under data protection law, an online provider of cloud based services is usually a "data processor" to the charity as "data controller".
When engaging processors, the GDPR requires charities to:
Processors are required by the GDPR to report breaches to the controller "without undue delay", but in our experience this does not always happen. If you have not been contacted by your processor about a data incident, and if you are aware of one involving them, it is prudent to check with them whether your data has been involved.
As a priority, charities told that their data may be involved should establish from the processor assurances about extent of loss, what data was involved, and whether the data is now secure.
As the charity is the controller, it is the charity's responsibility to report the data breach to the ICO "unless the breach is unlikely to result in a risk" to individuals. If it meets the threshold for reporting, a breach must be reported within 72 hours of the charity becoming aware. Even if the data processor has made its own voluntary report to the ICO, reporting, if required, remains the charity's responsibility. Not all breaches are reportable and charities should consider carefully whether the circumstances warrant reporting.
If a charity does decide to report a breach to the ICO in circumstances where the breach was caused by a processor, then the charity should check to make sure that the three steps outlined above were taken. The ICO is far less likely to take enforcement action against the charity if the arrangement is compliant and appropriate checks were carried out by the charity on the processor. The ICO has previously fined controllers that didn't do enough to check their contractor's compliance.
A charity will also need to consider reporting to affected data subjects. The threshold here is higher than it is for reporting to the ICO. Data subjects only need to be told if the breach represents a "high risk". However, it can sometimes be prudent to inform individuals even where the legal threshold has not been met, for example, if there is a risk that the breach will become public knowledge then it may be better reputationally if the charity is seen to be transparent and proactive, rather than individuals finding out later that their data had been compromised.
There are other points to consider, for example, whether to notify the police. Insurers should also be involved.
More easily overlooked is the need to report a serious incident to the charity regulator. For non-exempt charities in England and Wales, the majority of charities directly regulated by the Charity Commission, they will need to consider whether to make a report to the Charity Commission. Exempt charities should check the reporting requirements of their own principal regulators.
For non-exempt charities, reportable serious incidents are adverse events, actual or alleged, involving or risking significant harm to the charity, its work, property, assets or the people it comes into contact with. A decision whether or not to report - the reasoning for which should be recorded - is typically made with close reference to the Charity Commission's guidance on reporting serious incidents. It will often involve exercising judgment, guided by the guidance, about whether the threshold of significant harm is met.
There may be no fixed deadline for reports to the Commission, but that does not mean that it is not a priority. Reports to the Commission must be made promptly, as soon as is reasonably possible or immediately after the charity is aware. Depending on circumstances, this could be more stringent a requirement than a fixed deadline.
Where data breaches are concerned, trustees can often short-cut deliberations about the significance of harm. A list of examples published by the Charity Commission specifies a data breach reported to the ICO as a reportable serious incident. If the matter is reported to the ICO, then it follows that a report should also be made to the Charity Commission. The importance of reporting to the Charity Commission is underlined by extensive statutory powers to share and receive information from other regulators - it is at least possible that the Commission could learn from the ICO if a report of a data breach has been made.
The Commission's guidance also indicates that, with a few exceptions, charities should report cyber-crime involving them. Given the Commission's interest in risk affecting the sector at a strategic level, this even includes attacks blocked by security systems if it is unusual. Significant harm includes adverse publicity harming the charity's reputation.
Given the ability of the ICO and the Charity Commission to share information about charities under their mutual regulation, it is also true that the ICO could become aware of a data breach from the Charity Commission. Trustees who make a serious incident report to the Charity Commission may therefore wish, even if the threshold for mandatory reporting to the ICO is not met, to make a voluntary report to the ICO. If the trustees decide to report to the Commission but not the ICO, then the submission to the Commission should set out very clearly why the trustees consider that the threshold for reporting to the ICO has not been met.
Given the potential for the Charity Commission and the ICO to co-ordinate, particularly where a publicised breach affects a number of charity data controllers, it is at least pragmatic (and in some circumstances required) to make a report to both.