ICO Fine on Advanced Software: A Wake-Up Call for Genuine Compliance

In a move that has resounded throughout the tech industry, the Information Commissioner’s Office (ICO) recently imposed a significant fine on Advanced Software.

This action underscores a critical message: when it comes to data protection and privacy, genuine compliance is non-negotiable. For organisations, the recent fine serves as a stark reminder that treating compliance as a mere tick box exercise can have serious financial and reputational consequences.

The Backstory: What Happened with Advanced Software?

Advanced Software, provides IT and software services to organisations, including the NHS and other healthcare providers and processes people’s personal information on behalf of these organisations.

A subsidiary of Advanced experienced a ransomware incident in August 2022 as a results of hackers accessing certain systems via customer account that did not have multi-factor authentication (MFA) deployed. The cyber attack caused disruption to critical services such as NHS 111 and other healthcare staff being unable to access patient records.

The investigation found that personal information belonging to 79,404 people was taken including entry including details of how to gain entry into the homes of 890 vulnerable individuals who were receiving care at home. Of those individuals, 41,196 has special category data exfiltrated and was linked to 16 data controller customers. In total, 658 data controller’s customers were impacted by the unavailability of products as part of containment.

Some data controllers were impacted for a substantial period with the final data controller being reconnected in May 2023.

The investigation findings found that the Advanced’s subsidiary did not have adequate technical and organisational measures in place to keep health and care systems fully secure. The weaknesses included gaps in the deployment of MFA, a lack of vulnerability scanning and inadequate patch management.

Why the ICO’s Decision Matters

The ICO’s decision to fine Advanced Software is more than just a punitive measure; it represents a broader regulatory shift towards accountability and transparency. Regulatory bodies worldwide are increasingly scrutinising how companies manage sensitive data, and the ICO’s actions signal that even established players are not immune to repercussions if they fail to meet the required standards.

Key takeaways from this decision include

• Proactive Measures: Waiting until an issue arises is not an option. Companies need to implement proactive measures that prevent breaches and ensure that data handling processes are robust and secure.
• Accountability: Policies, procedures, penetration tests and relevant vulnerability scanning tools were in place but not consistently followed. Companies need to ensure that they can demonstrate compliance by not only having tools and documentation in place but that there is a regular programme for ongoing, regular monitoring which are mitigated in accordance with the type of data being processed and the identified risk.
• Reputation at Stake: Beyond financial penalties, the reputational damage resulting from non-compliance can be devastating. Trust is hard to rebuild once it is lost.

The Role of the Data Security and Protection Toolkit (DSPT) for health and social care suppliers

Amid the chatter around fines and compliance failures, one tool stands out as an essential asset for organisations operating within the health and social care landscape in the UK which is the Data Security and Protection Toolkit (DSPT). The DSPT is designed to help organisations assess and improve their data security practices systematically. However, its effectiveness hinges on how it is used.

Too often, companies can approach the DSPT as just another box to tick, rather than a comprehensive assessment tool. When treated as a tick box exercise, the DSPT can create a false sense of security, leading organisations to believe that they are compliant without fully addressing underlying vulnerabilities.

Here is why embracing the DSPT as a genuine compliance tool is critical:

• Holistic Assessment: The DSPT offers a detailed, nuanced view of an organization’s data protection measures. It does not merely ask for superficial answers but requires a deep dive into practices, policies, and procedures.
• Identifying Gaps: By using the DSPT authentically, companies can identify and rectify gaps in their data protection framework before they escalate into serious issues.
• Continuous Improvement: Data security is not static. Regular, honest assessments using the ISMS aligned to DSPT requirements can drive continuous improvement, ensuring that security measures evolve alongside emerging threats.
• Regulatory Alignment: The ICO and other regulatory bodies are increasingly looking for evidence of genuine, ongoing compliance. An in-depth, honest DSPT assessment supports the provision of this evidence and demonstrates a commitment to data protection and security.

Investing in Adequate Resources

Another vital element in achieving true compliance is ensuring that organisations allocate adequate resources to data protection and security, whether it’s manpower, technology, or budget, investing in robust resources is crucial for implementing and maintaining effective data security measures.

Consider the following when planning resource allocation:

• Skilled Personnel: Hiring and training dedicated cybersecurity and data protection professionals is fundamental. Skilled teams can provide deeper insights as part of the DSPT submission which ensures that security measures are up to date.
• Advanced Technology: Investing in state-of-the-art cybersecurity tools that are implemented effectively not only helps in preventing data breaches but also complements compliance efforts by offering real-time monitoring and rapid response mechanisms.
• Budget Allocation: Sufficient financial resources should be earmarked for ongoing security improvements and technology upgrades. This ensures that organisations can adapt quickly to evolving threats without compromising compliance.
• Process Integration: Beyond technology and staffing, integrating robust data protection processes into the organisational culture is essential. Adequate resources also mean having access to expert consultancy services and continuous training programs to keep the team informed about the latest regulatory requirements and cybersecurity trends.

Lessons Learned: Beyond the Tick Box

The case of Advanced Software teaches us that compliance is more than just a checklist; it is an ongoing commitment to safeguarding data and maintaining public trust. Relying on a tick box mentality not only puts organisations at risk of regulatory fines but also jeopardizes the integrity of their data protection practices.

Consider these strategies to move beyond the tick box approach:

• Engage Leadership: Compliance must be championed from the top down. Senior management should be actively involved in data protection strategies and ensure that every level of the organization understands its importance.
• Invest in Training: Employees are the frontline defenders of data security. Regular training sessions can help staff understand the importance of robust data practices and how to implement them effectively.
• Conduct Regular Audits: Beyond the annual DSPT assessment, regular internal audits can help identify issues before they become major problems. These audits should be thorough and reflect the real state of data protection measures.
• Adopt a Culture of Transparency: Transparency in data handling practices builds trust with customers, regulators, and stakeholders. An open culture ensures that issues are addressed promptly and effectively.
• Leverage Technology: Invest in advanced cybersecurity tools and systems that complement your compliance efforts. Technology can provide real-time monitoring and automated alerts to prevent data breaches.
• Secure Adequate Resources: Ensure that both financial and human capital are appropriately allocated to support compliance initiatives. Adequate resources are the backbone of a sustainable data protection framework.

A Strong Call to Action

The ICO fine imposed on Advanced Software is not just a cautionary tale—it is a call to action for all organisations handling sensitive data. Instead of treating compliance as a box to be checked off a list, companies must adopt a holistic, proactive approach to data security, which includes investing in the necessary resources to safeguard their operations.

Take action now

• Review Your Compliance Practices: Do not wait for a regulatory body to point out your shortcomings. Use tools like the DSPT to conduct an honest assessment of your data protection measures.
• Commit to Continuous Improvement: Compliance is a journey, not a destination. Regularly update your policies and practices to reflect the evolving landscape of data security.
• Invest in Adequate Resources: Allocate the necessary budget, hire the right talent, and invest in advanced technology to build a resilient data security framework.
• Engage with Experts: Consider consulting with data protection and security experts who can offer insights and strategies tailored to your organization’s needs.
• Prioritise Training and Awareness: Ensure that your team understands the importance of data security and is equipped with the knowledge to implement best practices.
• Build a Resilient Data Culture: Create an environment where data protection is embedded in every aspect of your operations, from technology to human behaviour.

By taking these steps, organisations can not only avoid fines like those imposed on Advanced Software but also build a robust framework that protects sensitive data, enhances customer trust, and strengthens overall business resilience.

Embrace true compliance today—do not settle for the minimum standard. Instead, use tools like the DSPT to drive continuous improvement, ensure the allocation of adequate resources, and safeguard your organisation against the ever-evolving threats in the digital world.