And what does it mean for past cases?
From years of denying it was part of its remit, to accepting that it is actually Quite Important for data protection, the UK’s data regulator has a changeable history with cybersecurity.
Regular readers will be familiar with the story of Wayne Johncock, the former Centrica CIO who lost hundreds of thousands of pounds to a sophisticated scam.
This month, as Wayne and his wife Nicky face a house repossession order, we are returning to the case to investigate the Information Commissioner’s Office’s (ICO) long-standing denial that cybersecurity falls inside its area of responsibility, and why it recently changed its approach.
In 2018, Wayne and Nicky were taken in by a Bank of America employee, Rajesh Ghedia, who claimed to hold a senior trading position when he was in fact an internal project manager. He convinced the Johncocks, and others, to hand over huge amounts of money he then spent on himself.
One victim has already lost her home to satisfy debts arising from the case. If the repossession order proceeds Wayne and Nicky would be the second couple to do so.
Ghedia is in jail, but the legal battle continues for Wayne and Nicky, who are fighting for Bank of America to take responsibility for its part in the case.
The Johncocks argue that, as their personal data was unnecessarily stored on the bank’s systems and servers, it is responsible for a data breach. That could be worth billions of pounds in penalties under UK data protection legislation.
The ICO is the UK’s data regulator, tasked with ensuring adherence to laws like the UK GDPR. It has repeatedly denied that Bank of America is liable for any penalty, an assertion we have disputed as being based on a misunderstanding of customer and personal data.
What about cyber?
Cybersecurity would seem to be a key part of data protection, but the ICO has often said that cybersecurity is not part of its remit – until recently.
For example, a form email Wayne received in 2023 as part of a submission to the regulator includes this line:
“Please note, the ICO cannot consider concerns relating to criminal activity (fraud), customer service matters, cyber security and an organisation’s code of conduct as these concerns are outside of our remit.”
Edward Fyle, a solicitor working for the ICO, later repeated this assertion nearly word for word.
That position is understandable in cases where personal data is not involved, although it clearly is here.
The regulator has form for confusion. As well as the personal/customer data issue outlined above, it has previously said it can’t investigate in the case of criminal activity. The City of London police have themselves pointed out this is in error; the ICO has its own powers of prosecution. Equally, the high-profile TalkTalk data breach in 2015 involved subsequent ICO penalties of £400,000 for failing to implement appropriate security measures.
However, the ICO now says cyber does fall under its banner “if it relates to personal data.”
It has taken that stance since at least May last year – well before the government introduced the Cyber Security and Resilience Bill in November giving the regulator new powers, though likely prompted by it.
ICO spokespeople David Meller and Rosina Harrison even made the following points at the Data Protection Practitioners Conference in October:
- Cyber incidents and security failures are central to breach assessment under Articles 5, 32, 33 and 34 of the UK GDPR; and
- The ICO’s role includes scrutinising technical and organisational controls, access management, monitoring and post-incident mitigation.
And yet, the UK’s data protection authority will not apply this stance retroactively. Were it to do so, it is possible that the outcome of the Johncock’s case could change.
However, the legal case – for now – may be settled. Wayne took the ICO to court earlier this year for its handling of the situation, but the case was dismissed at an interim hearing. The ICO sent us the following statement from a spokesperson:
“The ICO takes cyber security extremely seriously. We work with organisations across the UK to improve cyber resilience through guidance and engagement, and take regulatory action where organisations fail to take the appropriate steps to keep personal data secure.
“In this case, the court found no evidence that the ICO had acted inappropriately in the handling of Mr Johncock’s complaint, concluding that the issues relating to fraud, customer service, and cyber security fall outside the ICO’s remit as they didn’t involve the processing of his personal data. His claim against the Commissioner was dismissed, and he has declined to exercise his right of appeal against the court’s decision.”
For his part, Wayne contests that the case was dismissed purely because it was brought before the wrong court, and there was nothing in the judge’s ruling about the ICO’s remit or its handling of the case.
We will update this article once we review the ruling, which we have requested.
Leave a comment