Information Commissioner's Office (ICO)

As a result of the COVID-19 pandemic, many more organisations have moved their business operations online.  From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s data by locking the computer or encrypting the data until the demanded ransom is paid. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.

Ransom attacks are on the rise, with the ICO reporting an increase from 13 ransomware incidents per month to 42 at its 2021 conference. In the U.S., the recent Kaseya ransomware attack affected nearly 200 companies, while the recent pipeline attack disrupted fuel supplies to the East Coast for several days, leading to fuel shortages.

According to a global survey conducted by Sophos, the average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. These remediation costs include business downtime, lost orders and operational costs. The average ransom paid is $170,404, yet only 8 per cent of organisations managed to recover all of their data after paying a ransom.

In 2020 and so far this year in 2021, the manufacturing, government, education, services and healthcare industries have been particularly hard hit by ransomware attacks. However, no industry is immune from such attacks and ransomware attacks are featured across all industries, including utilities, technology, logistics, transportation, finance and retail.Continue Reading Ransomware is on the rise – what to do if you are faced with a cyber attack

In early January, the Article 29 Working Party (WP29) adopted its 2017 Action Plan (Action Plan) on the implementation of the General Data Protection Regulation (GDPR).

Amongst the actions proposed, the Action Plan provides a list of guidelines to be published throughout the year; which are set to cover:
Continue Reading Article 29 Working Party adopts its 2017 Action Plan

The early part of 2015 saw major changes to the monetary fines that may be imposed for breaches of the Data Protection Act (‘DPA’). For example, unlimited fines may now be imposed by UK Magistrates’ courts for criminal offences under the DPA.

The Information Commissioner’s Office (‘ICO’) has now seen similar changes to its powers.

The First Tier Tribunal General Regulatory Chamber (Information Rights) (the “FTT”), in the case of Alan Matthews v Information Commissioner [2014] EA/2012/0147, ruled that – despite being “personal data” – the name and qualifications of a private consultant should be released in response to a request under the Freedom of Information Act 2000 (“FOIA”).

The UK Data Protection Watchdog, the Information Commissioner’s Office (ICO), has launched a public consultation on their future governance strategy, the ‘2020 Vision for Information Rights’. The ICO is being challenged by significant changes in the regulatory landscape triggered by imminent reform of EU data protection law. Simultaneously, the UK regulator is facing cutbacks in

This post was written by Cynthia O’Donoghue.

A judgement of the Upper Tribunal of the UK Information Rights Tribunal (the Tribunal), in the case of Central London Community Healthcare Trust v Information Commissioner [2013] UKUT 0551 (AAC), has ruled that organisations which voluntarily report incidents of data security breaches to the ICO do

This post was written by Cynthia O’Donoghue.

The First Tier Tribunal (Information Rights) granted appeal against a monetary penalty notice of £300,000 issued by the Information Commissioner in the case of Christopher Niebel v The Information Commissioner (EA/2012/2060), ruling that the penalty notice should be cancelled.

The monetary penalty notice had been

The UK Information Commissioner’s Office (ICO) published new guidance following the issuance of EC Regulation (No.611/2013) (The Notification Regulation) (see our blog), which aims to harmonise EU data breach notification procedure for ISPs and telecom providers.

The ICO’s guidance seeks to interpret the Notification Regulation in line with Privacy and Electronic Communications (EC

UK data protection authority, the Information Commissioner’s Office (ICO), has published new guidance, an accompanying checklist, and an at-a-glance guide to help organisations understand the rules governing direct marketing under the Data Protection Act 1988 (DPA), and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR).

The ICO guidance attempts to clarify direct

This post was written by Cynthia O’Donoghue.

In June 2013, the UK Information Commissioner’s Office (ICO) published new guidance entitled “Social networking and online forums—when does the DPA apply?” (Guidance). The document explains what must be considered by organisations that run social media sites, as well as by individuals who upload or