Cyber-Attack Prompts Charity Trustees To Reconsider Their Duties

The Information Commissioner's Office (the "ICO") announced last week that it was fining a religious charity, The British and Foreign Bible Society, £100,000 under the Data Protection Act 1998 (the "DPA")1. In 2016, the charity's computer network was compromised as a result of a cyber-attack. The ICO found that the attack was successful because the charity had failed to take measures to ensure that its computer network was adequately protected.

An easy-to-guess password allowed hackers to access a service account on the charity's internal network. Ransomware was deployed and the hackers secured access to the personal data of 417,000 of the Society's supporters. Some files were also transferred out of the network.

The ICO commented that the charity had exposed its supporters to possible financial or identity fraud as well as exposing the religious belief of its 417,000 supporters.

An organisation's responsibility to take measures to protect its computer network is set out under Principle 7 of the DPA. Principle 7 requires that appropriate technical and organisational steps are taken to prevent unauthorised and unlawful processing of personal data.

The ICO acknowledged that whilst cyber-attacks are a criminal act, The British and Foreign Bible Society had failed to comply with Principle 7. The ICO's Head of Enforcement, Steve Eckersley, said that "organisations need to have strong security measures in place to make it as difficult as possible for intruders".

Charities would do well to take note of the ICO's decision because many charities have very few securities measures in place. The Cyber Security Breaches Survey 2018 found that 73% of the surveyed charities with annual incomes of more than £5 million had fallen victim to cyber attacks or breaches in the last year. Despite that, only 21% of the surveyed charities had a cyber security policy in place.

The ICO's decision places a greater onus on a trustee to assess the appropriate level of security required and then to ensure that the necessary measures are implemented. This may necessarily involve the diversion of charitable funds. Nevertheless, by taking adequate steps to protect their computer networks and by the ability for charities to show they take seriously the protection of personal data of donors and other contacts, charities will not only avoid fines from the ICO but will also ensure the on-going support of...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT