Cyber-crime, including scenarios where ransoms are demanded to decrypt data or destroy improperly taken copies, is a fact of life. The recent news that Blackbaud was subject to an attack comes as a reminder that the education sector is not immune. The scenario, that a cloud provider is attacked but recovers data, is a challenging one for schools. It is specific enough to engage a very particular application of rules and requirements but at the same time is the sort of scenario for which ideally they should be prepared.
Here we look at some key issues for schools to consider.
Under data protection law, an online provider of cloud based services is usually a "data processor" to the school as "data controller".
When engaging processors, the GDPR requires schools to:
Processors are required by the GDPR to report breaches to the controller "without undue delay" but in our experience this does not always happen. If you have not been contacted by your processor about a data incident, and if you are aware of one involving them, it is prudent to check with them whether your data has been involved.
As a priority, schools told that their data may be involved should establish from the processor assurances about extent of loss, what data was involved, and whether the data is now secure.
As the school is the controller, it is the school's responsibility to report the data breach to the ICO "unless the breach is unlikely to result in a risk" to individuals. If it meets the threshold for reporting, a breach must be reported within 72 hours of the school becoming aware. Even if the data processor has made its own voluntary report to the ICO, reporting, if required, remains the school's responsibility. Not all breaches are reportable and schools should consider carefully whether the circumstances warrant reporting.
If a school does decide to report a breach to the ICO in circumstances where the breach was caused by a processor then the school should check to make sure that the three steps outlined above were taken. The ICO is far less likely to take enforcement action against the school if the arrangement is compliant and appropriate checks were carried out by the school on the processor. The ICO has previously fined controllers that didn't do enough to check their contractor's compliance.
A school will also need to consider reporting to affected data subjects. The threshold here is higher than it is for reporting to the ICO. Data subjects only need to be told if the breach represents a "high risk". However, it can sometimes be prudent to inform individuals even where the legal threshold has not been met, for example, if there is a risk that the breach will become public knowledge then it may be better reputationally if the school is seen to be transparent and proactive, rather than individuals finding out later that their data had been compromised.
Blackbaud is used by many schools to facilitate communications with alumni and supporter databases. When considering whether to notify individuals, we suggest that schools analyse the impact that notifying or not notifying will have on the reputation of the School in the eyes of those affected. For example, some individuals may be more concerned not to receive a communication from the School, and in those circumstances it may be beneficial to notify individuals, even where the legal threshold to do so has not been met.
There are other points to consider, for example, whether to notify the police. Insurers should also be involved.
More easily overlooked is the need to report a serious incident to the Charity Commission, if your school is a charity in England and Wales.
Reportable serious incidents are adverse events, actual or alleged, involving or risking significant harm to the school, its work, property, assets or the people it comes into contact with. A decision whether or not to report - the reasoning for which should be recorded - is typically made with close reference to the Charity Commission's guidance on reporting serious incidents. It will often involve exercising judgment, guided by the guidance, about whether the threshold of significant harm is met.
There may be no fixed deadline for reports to the Commission, but that does not mean that it is not a priority. Reports to the Commission must be made promptly, as soon as is reasonably possible or immediately after the school is aware. Depending on circumstances, this could be more stringent a requirement than a fixed deadline.
Where data breaches are concerned, trustees and / or governors can often short-cut deliberations about the significance of harm. A list of examples published by the Charity Commission specifies a data breach reported to the ICO as a reportable serious incident. If the matter is reported to the ICO, then it follows that a report should also be made to the Charity Commission. The importance of reporting to the Charity Commission is underlined by extensive statutory powers to share and receive information from other regulators - it is at least possible that the Commission could learn from the ICO if a report of a data breach has been made.
The Commission's guidance also indicates that, with a few exceptions, schools with charitable status should report cyber-crime involving them. Given the Commission's interest in risk affecting the sector at a strategic level, this even includes attacks blocked by security systems if the attack it is unusual. Significant harm includes adverse publicity harming the school's reputation.
Given the ability of the ICO and the Charity Commission to share information under their mutual regulation, it is also true that the ICO could become aware of a data breach from the Charity Commission. Schools who make a serious incident report to the Charity Commission may therefore wish, even if the threshold for mandatory reporting to the ICO is not met, to make a voluntary report to the ICO. If the school decides to report to the Commission but not the ICO, then the submission to the Commission should set out very clearly why the school considers that the threshold for reporting to the ICO has not been met.
Given the potential for the Charity Commission and the ICO to co-ordinate, particularly where a publicised breach affects a number of charity data controllers, it is at least pragmatic (and in some circumstances required) to make a report to both.