£3.07 million for security failings - ICO issues its first-ever processor fine under UK GDPR

Last month, the ICO issued its first-ever monetary penalty notice (“MPN”) against a processor..

Advanced Computer Software Group (“Advanced”) were fined £3.07 million for security failings identified following a ransomware attack that impacted NHS systems.

The decision to impose a fine directly against a processor rather than a controller is notable as it:

• Emphasises that processors have direct statutory obligations under UK GDPR,
• Clarifies regulatory expectations around the appropriateness of security measures, and
• Could have implications for contractual negotiations in the future.

The details of the events, the MPN and its implications are below.

The ransomware attack

• In August 2022, hackers accessed Advanced’s health and care subsidiary systems via a customer account unprotected by multi-factor authentication (“MFA”).
• The affected data included health data, national insurance numbers, and details on how to enter the homes of 890 people receiving care at home.
• The attack brought parts of the NHS 111 service to a standstill, leaving doctors and other healthcare professionals unable to access patient records.
• Overall, the attack directly impacted 16 controller customers and put the personal data of 79,404 people at risk.

ICO findings

• The ICO found that Advanced had breached Article 32 of the UK GDPR for failing to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the ICO criticised the gaps in Advanced’s deployment of MFA, its lack of comprehensive vulnerability scanning, and inadequate patch management.
• The ICO cited many aggravating factors that contributed to the seriousness of the fine, including Advanced’s size and the volume/nature of the personal data processed.
• The ICO also emphasised how security measures must cover the entire data lifecycle from the point of collection through to deletion.
• For example, a key point of criticism was that, even though Advanced had installed MFA to protect the vast majority of its records, its lack of complete coverage meant hackers could still gain access.
• More generally, this fine illustrates that the ICO does not just recommend MFA and appropriate vulnerability management controls; they are nowadays perceived as essential in many circumstances.

Negotiating the fine

• In August 2024, the ICO announced its intention to issue an Advanced with a provisional fine of just over £6 million.
• Subsequently, the ICO considered representations made by Advanced in response to the notice of intent. In its final decision, the ICO determined that the appropriate adjustment for seriousness was 65% of the statutory maximum (£8.7 million) because there was no evidence of actual harm to data subjects.
• The ICO further reduced the fine by 15% to reflect Advanced’s “proactive engagement” with the NHS and various security authorities in the wake of the attack, along with other steps Advanced took to mitigate the risk to those impacted.
• Finally, the ICO reduced the penalty by 20% in light of Advanced’s agreement not to appeal the fine.
• The final settlement figure of £3 million represents almost half of what the ICO originally announced in the notice of intent.

What can we learn from this decision?

• Advanced is the first processor to be fined by the ICO.
• This may be a one-off decision triggered by the specific facts of the breach, including the ICO preferring to go after Advanced as the party with the deeper pockets rather than the NHS as a public body.
• However, even if this is the case, this decision may change the dynamic of controller-processor contract negotiations.  
• Controller organisations are held responsible for data breaches, including civil liability for damages awarded to individuals and administrative fines imposed. By contrast, processors have not historically been in the direct firing line for any such hit.
• When negotiating data processing agreements, it is therefore quite common for controllers to argue that the processor is not exposed from a regulatory enforcement perspective.
• This decision reminds us that this is not the case; rather, the ICO (and other regulators) can fine or sanction processors directly where there is a breach of a statutory obligation that applies to them.
• Under the UK GDPR, processors can be held equally, if not more, liable than controllers, depending on the parties’ respective negligence and culpability for the loss or damage caused.
• A key issue not raised in the decision but has unsurprisingly been the subject of media attention is whether Advanced's customers (including the NHS) should take some responsibility for this breach, having perhaps carried out substandard due diligence on Advanced.
• The ICO’s decision clarifies that the obligations on the controllers (i.e., Advanced’s customers) should be considered separately from Advanced’s responsibilities as a processor.
• Regardless, this fine emphasises the importance of exercising care when contracting with processors and creating readiness plans for a processor breach.
• Although the NHS did not face a hefty fine following Advanced’s breach, the cybersecurity attack was widely reported and undoubtedly caused reputational damage.

Conclusion

• It remains to be seen whether this fine is unique based on its facts or whether this indicates a general willingness from the ICO to issue more penalties against processors in the future.
• Regardless, this decision could have implications for controller-processor contractual negotiations, shifting the dynamic between the parties and removing any perceived safety blanket for processors regarding the enforceability of their statutory obligations.

Source

https://inquisitiveminds.bristows.com/post/102k8rt/ico-issues-its-first-ever-processor-fine-under-uk-gdpr