The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) highlighted in a September 2023 White Paper[1] that the evolution of ransomware had been the "biggest development in cyber crime" since their previous report on cyber activity in 2017. Amongst all the various harms inflicted by ransomware, the White Paper called out in particular, the potential for ransomware attacks to impact individuals due to the loss of key services and personal data leaks.
From the perspective of protecting personal data, the Information Commissioner's Office (ICO) highlighted that personal data breaches, both in number and severity, involving ransomware has increased since 2020 and 2021. The ICO's own guidance references the NCSC's recognition of ransomware as the biggest cyber threat facing the United Kingdom, to highlight why ransomware is such an important data protection issue[2].
The ICO's own empirical data supports these trends and impacts. Between the start of 2019 and the end of the first half of 2024, 3,760 ransomware incidents had been reported to the ICO. Data for complete yearly periods between 2019 and 2023 show a significant increase in reported incidents since 2019, from 158 in that first year, to 723 in 2021, up to 1,253 in 2023.
The ICO has emphasised that organisations need to put in place security measures to avoid preventable attacks, with the ICO's head of enforcement, Stephen Bonner, affirmatively stating that "There is absolutely no excuse for not having the foundational controls in place.”[3]
With the ICO's position suggesting that it is taking no prisoners, many may assume that the proliferation of ransomware and attacks reported to the ICO must have resulted in an abundance of ICO enforcements. The ICO has a number of enforcement measures at its disposal, which can be used where appropriate, including warnings, reprimands, enforcement notices and penalty notices. Serious infringements can be subject to a fine of up to £17.5 million or 4% of annual turnover, whichever is higher.
However, a review of available information suggests that the statistical prospect of an organisation being subject to some form of formal enforcement action, following a ransomware attack compromising personal data, is low.
This is fine, everything's "fine"
Against the backdrop of 3,760 ransomware incidents, it is quite remarkable that the ICO has only issued two monetary penalty notices to date, with a third in the pipeline. These comprise Tuckers Solicitors (a £98,000 fine in 2022), Interserve (a £4.4m fine also in 2022), and Advanced Computer Software Group Ltd (a £6m provisional fine announced in August 2024).
One could be led to conclude that it is either the case that almost all organisations that suffer ransomware attacks have at least the foundational controls of cyber security in place, or that the ICO is deciding that not all (but almost all) ransomware incidents will not receive a fine. For the average organisation suffering a cyber incident, the numbers show that a fine is an extremely unlikely outcome.
Not only could it be said that lack of "hard" enforcement undermines the UK GDPR regime but it may also carry much wider implications. With much justified fanfare, the ICO published updated fining guidance in July 2022 noting that it would apply leniency to those organisations who proactively reported their cyber breach to bodies such as the NCSC[4]. Again, based on the statistics, organisations could be forgiven for believing that in reality, they are not going to be fined for suffering a ransomware attack, even if they are slow to report it; so this particular carrot is not particularly persuasive.
It's not all about the fines
Of course, a fine isn't the only sanction available to the ICO in relation to enforcement following a ransomware attacks. In the Commissioner's own words "The number or quantum of fines is not the measure of our success or failure, nor of our impact."[5] In that speech in November 2022, the Commissioner confirmed that Reprimands would be published as "regulatory action must be a lesson learned by the rest of the economy and play a role in behaviour change."
However, there are seemingly even less Reprimands issued for ransomware attacks compared to fines, and Reprimands suffer the fatal flaw in that they cannot be appealed through the usual tribunal process. The most recent subject of a ransomware Reprimand simply stated that it did not agree with the ICO's decision, leaving the public status of the ICO's findings in something of a judicial limbo.
Why the lack of enforcement?
So is the lack of enforcement simply down to the fact that the ransomware incidents were not particularly serious? Ask any cyber security researcher or threat intelligence expert and they will easily highlight dozens of UK based ransomware attacks with interruption and data leaks that were not dissimilar to the impact of those already sanctioned.
In 2019 and 2020, the ICO's own figures suggest between 98 and 99% of ransomware incidents reported resulted in an investigation by the ICO, yet this figure decreased to 7% of incidents in 2023.
It could be argued that some of these incidents have now been reported as 'informal action taken'. The ICO defines[6] 'informal action taken' as circumstances in which they determined that the breach as reported, did not warrant a response such as a fine or reprimand, but some action was taken, such as advice being given. By contrast, 'no further action' involves circumstances where the investigations team has determined that no further action is required in response to the report. The example provided is circumstances where "the issue did not involve any personal data or did not reach the threshold for action."
The ICO notes that due to a change in the definitions of 'informal action taken' or 'no further action' in April 2021, a significant proportion of cases now sits within the 'informal action' definition. However, noting the 91% decrease in incidents being subject to a formal investigation between 2019 and 2020 to 2023, is there a reason for this decrease?
It is impossible to know for certain, but one factor highlighted by the statistics above must be that the ICO's own resources which are, like any organisation, finite. If it is the case that the prospect of enforcement reduces as the number of reported ransomware incidents rise, then this would be an outcome somewhat steeped in irony.
Commentators have also observed that the ICO may be picking its battles, and electing the Reprimand route over financial sanctions which carry the risk of appeal.
In 2023, the First-tier Tribunal has ruled that the Information Commissioner did not have the jurisdiction to issue a £7.5 million GDPR fine to Clearview AI, and overturned the fine.[7]
Although unrelated to the issue of ransomware, the ICO has also previously dramatically reduced large proposed fines following representations by the companies, as is permitted by the enforcement procedure. Following a data breach involving the compromise of 500,000 British Airways (BA) customers, the ICO proposed a £183m fine, equating to 1.5% of BA's global turnover for 2017.
Following representation from British Airways, the ICO concluded that "through issuing the [Notice of Intent], BA was afforded the opportunity to use the consultation process to make meaningful representations which were capable of affecting the outcome of the investigation … The Commissioner rightly took all of the material submitted by BA into account, which necessarily resulted in further clarity being brought to the circumstances of the Attack and a more detailed decision being produced." The fine was ultimately reduced to £20 million.
Similarly, the ICO confirmed it intended to fine Marriott Hotels £99 million following a data breach, with the final notice setting that figure at £18.4 million.
Notably, these organisations all had significant financial resources at their fingertips to go up against the ICO which has, until recently, had to self-fund any appeal and litigation over its own sanctions.
However, from 1 April 2022, the HM Treasury has allowed the ICO to retain funds to cover pre-agreed, specific and externally audited enforcement and litigation costs. There is a cap on the amount of costs that be recovered in any one financial year (£7.5m) with any approach being audited by the National Audit Office.
The future
As matters stand, there is no sign of the global ransomware epidemic from slowing. Whilst Government and policymakers have a wide range of levers to pull, it would appear from the statistics that regulatory enforcement via the ICO is not following the same trend. Of course, there are plenty of incredibly powerful (and obvious) reasons for organisations to avoid a ransomware attack, but avoiding ICO sanctions is arguably low down on the list.
[1] https://www.ncsc.gov.uk/whitepaper/ransomware-extortion-and-the-cyber-crime-ecosystem#section_5
[2]https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/ransomware-and-data-protection-compliance/
[3] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/05/organisations-must-do-more-to-combat-the-growing-threat-of-cyber-attacks/#:~:text=As%20the%20data%20protection%20regulator,the%20foundational%20controls%20in%20place.
[4] https://ico.org.uk/about-the-ico/what-we-do/draft-data-protection-fining-guidance/circumstances-in-which-the-commissioner-would-consider-it-appropriate-to-issue-a-penalty-notice/relevant-aggravating-or-mitigating-factors/
[5] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/11/how-the-ico-enforces-a-new-strategic-approach-to-regulatory-action/
[6] https://ico.org.uk/action-weve-taken/data-security-incident-trends/glossary-of-terms/decision-taken/
[7] https://www.dacbeachcroft.com/en/What-we-think/Clearview-successfully-overturns-75-million-ICO-fine