This decision is a clear indication that the concept of plausible deniability is dead, or at the very least dying. The days of refusing to look for possible IT and security threats with the potential to result in the loss of customer data are over.
The argument that because the issues were unknown it was not possible for the business to fix them is no longer going to be accepted as an adequate defense.
David Smith, deputy commissioner and director of data protection for ICO reportedly said, “There's no disguising that this is a business that should have known better.” To security practitioners, this is music to our ears. Putting your head in the sand and avoiding learning about security weakness surrounding your IP or your customers' information won't stop the attackers from looking for, finding and targeting those weaknesses. So claiming it is not your fault that they did is illogical and harmful for your customers.
What is the implication? Well Smith went on to say, “It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
That means that a company can have a reasonable expectation of employing technical expertise and should be performing regular risk assessments of the IT environment, both internal and external. The question then becomes: What type of company would we have a reasonable expectation of technical expertise? Any company that derives some of its reputation or income from its online presence would seem like a candidate to me, as well as a company that would cease to make money if their IT infrastructure went away.
It is in the best interest of customer data that a strong message be sent to organizations that the expectation is that they are to be continuously looking for security issues and developing remediation and compensating controls to reduce or eliminate risk. This would make organizations more secure (and I would argue is likely to make them more efficient), while improving protection of customer data.
But is this possible? Despite what the movies might have told us, running a modern vulnerability scanner is something a child (or an executive) could do. So I find it hard to believe any organization does not have the internal capability to do that. But the critical point is not that they are looking for vulnerabilities, though they should be, but that they are determining which of the risks discovered represents business risk and should be remediated. Interestingly this is easier for a small organization because of the smaller number of assets that need to be assessed.
In summary, this is one of those seemingly rare examples where a ruling reflects what we all know to be true. If something is common knowledge and you fail to even consider doing it, then you are at fault for not even trying.
ng as much as someone else is at fault for trying and failing.