Cybercrime now seems to be more prevalent than ever. News articles of large organisations being hit by cyber incidents seem to be arising very regularly. Charities are not immune to such a threat and a recent survey conducted by the Charity Commission indicated that many charities are underestimating the risk associated with cybercrime.
Following the survey, the Charity Commission published an announcement relating to charities assessing the risks faced by them in respect of cybercrime. The announcement included the following:
“The Charity Commission’s new survey explored charities’ experiences of online cyber-attack. It found that over half of charities (51%) held electronic records on their customers, while 37% enabled people to donate online. A greater digital footprint increases a charity’s vulnerability. The most common types of attacks experienced were phishing and impersonation (where others impersonate the organization in emails or online). For both attacks personal data is often at risk.
There are lots of simple steps that can be taken to protect against cyber harms including using strong passwords and two factor authentication, making back-ups of your data using the cloud and making sure antivirus and all other software is patched to the latest version. Many useful tools and resources will be available to help charities reduce their vulnerability to these crimes throughout Charity Fraud Awareness Week.
The survey also confirmed that there is an under-reporting of incidents when they do occur, with only a third (34%) of affected charities reporting breaches. It’s important that charities get in touch with the Commission where there has been a serious incident, even where there may be no regulatory role for the Commission. This helps the regulator to identify trends and patterns and help prevent others from falling victim to fraud.”
Amie McWilliam-Reynolds, Assistant Director Intelligence and Tasking, from the Charity Commission said:
“Online financial transactions, and online working generally, present a great opportunity for charities – whether in engaging supporters, raising funds, and streamlining their operations. This was demonstrated in particular during the pandemic, when the longer-term move away from cash to online fundraising accelerated. But online financial transactions and the collection and storage of personal data also harbour risk, and we are concerned that some charities may be underestimating that risk, and are therefore exposing their charity to potential fraud.”…
She added:
“Preventing and tackling fraud is not a ‘nice to have’. It is vital that every penny given to charity makes a positive difference, especially during these straitened times, when donors, charities, and those they support face mounting financial pressures.”
Whilst the writer agrees with everything said in the announcement, there are some additional points that need to be covered.
Reporting
The announcement makes it clear that there is under-reporting to the Charity Commission in respect of cyber incidents. Charities should also note that there is a requirement to report breaches to the Information Commissioners Office (ICO). There is a requirement to do so without undue delay and in any event within 72 hours of becoming aware of a cyber incident.
Loss of data
When a charity is a victim of a cyberattack, its system will either be locked down by the attacker or the attacker will take as much data as they can from the victim’s system, either to hold it for ransom or to use it to impersonate the data subject, for example with a view to obtaining credit in their name fraudulently.
In addition to the requirement to report incidents to the ICO, there is an obligation to inform the data subject, whose data has been compromised within 72 hours, where feasible, but in any event without undue delay.
The GDPR incorporated into UK law by the Data Protection Act 2018 further provides in Article 82:
- “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
- 1Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation…
- A controller…shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.”
Article 5 confirms:
- “Personal data shall be…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Accordingly, where a data controller has failed to adequately secure an individual’s personal data and it results in loss to them, the data controller will be liable to compensate the data subject for the loss suffered. Given that some data thefts involve fraudsters obtaining credit in the victim’s name, such losses could be substantial.
Article 82 does however give a potential defence to any claim where the charity can demonstrate that ‘it is not in any way responsible for the event giving rise to the damage’. Where cyber incidents are concerned, if an affected charity is not able to demonstrate that it has fully considered its risks in respect of cyber incidents arising and taken appropriate remedial action to protect its systems and data as far as possible, it will not be able to avail itself of this defence.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us