The Information Commissioner's Office (ICO) has recently issued a £500k penalty against Cathay Pacific Airways Limited (Cathay Pacific) for a series of hacks that exposed the personal information of £9m customers. [1] The ICO's penalty notice cites twelve contraventions including that "Forensic evidence was no longer available during the Commissioner's investigation. [2] " This briefing looks at whether a failure to secure evidence can in itself amount to a breach of the GDPR.

Many forensic experts may advise that you switch off and isolate infected devices once a breach is discovered, particularly if it involves a virus or ransomware. The devices can then be forensically imaged and air-gapped so that they can be safely investigated. It is rare that the first step is to simply wipe the system clean. Doing so could prevent an organisation finding out what actually happened, leaving a vulnerability in a system that could be exploited again. It may also destroy the evidence trail preventing law enforcement taking action and limiting an organisation's ability to respond to regulatory investigations.

Cathay Pacific however decided to decommission some of its servers before the ICO had a chance to investigate. In the ICO's words: " If Cathay Pacific had followed best practice in terms of preservation of digital evidence, then more information would have been available." [3]

This action is asserted in the ICO's penalty notice as a contravention of Principle 7 of the old Data Protection Act 1998 (DPA 1998) (the Cathay Pacific incident took place before the GDPR came into force). This well know principle requires that:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The same requirement is replicated in Article 5 of the GDPR which requires that personal data be " processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ".

Cathay Pacific's approach is far from best practice and certainly warrants being included as an aggravating factor when setting the level of the penalty. But is it a breach of the DPA 1998 or the GDPR?

Under the DPA 1998, arguably not. Principle 7 is about the prevention of incidents, not the response to them. Obviously, learning for your mistakes and closing down existing vulnerabilities is a key part of good information security practice. But there's no suggestion in the penalty notice that Cathay Pacific's decommissioning of its servers prevented this from happening or that it contributed to any later breach. Instead, it was the mere failure to preserve evidence for the ICO to review that is cited as the breach of Principle 7. This seems to be stretching the scope of Principle 7 past a plain reading of its words.

Under the GDPR there is a further requirement to meet in Article 32(4):

"The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article."

This does not expressly state that exploited systems must be forensically preserved but it comes close and is an additional requirement of the GDPR not found in the DPA 1998. It does, however, express the same sentiment as the Cathay Pacific penalty in that organisations have to preserve sufficient information so not to frustrate a regulator's investigations.

Regardless of the subtleties of the law, the ICO appears to have adopted the view that preservation of evidence is a legal requirement and they can be expected to follow that approach unless challenged in Court. This could create a practical problem where an exploited system is still an active part of the IT estate and needs to be quickly re-built in order to keep an organisation functioning. On the ICO's interpretation of Principle 7, it is difficult to see a distinction between decommissioning a system and re-building so to restore service - both may result in a loss of evidence. Organisations would be well-advised to have plans in place and, if needed, contractors on retainer to forensically image evidence immediately following a breach.

So where does that leave us. Best practice is still to preserve affected systems until the vulnerability is known and fixed. Unless you are feeling brave enough to challenge the ICO on their interpretation of the law, the practical advice in light of Cathay Pacific is to implement a document hold if a serious breach is notified to the ICO. That hold should stay in place until the ICO closes its case file. Advice should be taken on the scope of the hold and whether it now needs to include preserving or forensically imaging any affected devices.

 


[1] ICO's update 'International airline fined £500,000 for failing to secure its customers’ personal data'

[2] ICO's Monetary Penalty Notice issued to Cathay Pacific on 10 February 2020

[3] ICO's Monetary Penalty Notice issued to Cathay Pacific on 10 February 2020