top of page
  • Stewart Room

Important new case alert! A security breach doesn’t require a circumvention of security controls

If someone says "security breach", what do you think? Is this a situation where a rogue actor (say a cybercriminal) or a rogue thing (say a computer virus) overcomes security controls to do some harm? The security controls might be an access mechanism, or a filter or barrier of some kind. If the rogue overcomes those controls, then we'd say that the controls have been circumvented.

But what about the situation of a rogue doing something untoward in respect of a thing that is not protected by security controls? For example, imagine a Cloud instance where there are open ports that give anyone or anything on the internet free and unrestricted access to a database stored within the instance. That would certainly be a breach of security, but no controls were circumvented.

Let's take the situation one step further. Imagine a database simply loosing data. There are no rogues involved. No one or thing does anything untoward. Simply put, the data ceases to be. Is that a security breach?

If security of data means a state of confidentiality, integrity and availability (the CIA Triad), then the loss of the data is a security breach, because it is no longer available, because it ceases to be.

This is the scenario addressed by the Information Commissioner's Office in the reprimand of University Hospital of Derby and Burton NHS Trust, published in late October.

What happened is that GPs would send referral requests to the hospital, but its computer system would drop them from the appointment wait list if they were not actioned within a set period of time. If further time elapsed without them being actioned, they would would be permanently lost from the system.

Upon becoming aware of this issue, the NHS sent guidance to the hospital on how to deal with the problem, but, unfortunately, the guidance wasn't properly actioned, due to a lack of awareness raising and training within the teams responsible for managing the referrals. The net result is that some patients lost their places in the queue and in some cases their appointments were put back by over two years.

The ICO has treated this case as a breach of the security rules in Article 5.1.f of the UK GDPR, proving that a security breach doesn't need there to be circumvention of security controls or any rogue elements. The wrongful expiry of data is sufficient to breach the rules, as that is an availability loss. The eagle-eyed ones among you might note that A.5.1.f is titled "integrity and confidentiality" and that represents only two thirds of the CIA Triad, but the missing third is found in the text of the article itself.

This interpretation of the law is consistent with the longstanding position within the Computer Misuse Act, which is that the commission of a computer misuse offence such as hacking, malware distribution and DoS does not require the cybercriminal to circumvent security controls.

In sum, under this formulation there might be many more security breaches occurring that are not notified to the regulator or the people affected.


bottom of page