Recent ICO Data Breach Enforcement Emphasizes the Importance of a Robust Breach Response | Skadden, Arps, Slate, Meagher & Flom LLP

Staff Editor 2026-02-03
Recent ICO Data Breach Enforcement Emphasizes the Importance of a Robust Breach Response | Skadden, Arps, Slate, Meagher & Flom LLP

Recent ICO Data Breach Enforcement Emphasizes the Importance of a Robust Breach Response | Skadden, Arps, Slate, Meagher & Flom LLP

https://www.jdsupra.com/legalnews/recent-ico-data-breach-enforcement-7794437/

Publish Date: 2026-02-03 16:23:00

Source Domain: www.jdsupra.com

Executive Summary

  • What’s new: The UK ICO issued £15 million in GDPR fines against Capita and LastPass UK Limited for data breaches resulting from cyberattacks.
  • Why it matters: These fines underscore the ICO’s emphasis on data breach enforcement and provide insight into the ICO’s approach to investigations and enforcement.
  • What to do next: Companies should consider benchmarking cybersecurity against NCSC guidance, reviewing and updating incident response policies, and weighing the use of privilege in internal security documentation.

__________

In the final quarter of 2025, the UK Information Commissioner’s Office (ICO) issued fines under the General Data Protection Regulation (GDPR) totaling £15 million against Capita plc, Capita Pension Solutions Limited (together, “Capita”) and LastPass UK Limited for data breaches.

The fines provide insight into the ICO’s current approach to enforcement, including its treatment of group revenue. Below, we summarize the key themes from the decisions and important takeaways for all companies.

1. Proactive assessment and handling of cyberrisk is essential.

In fining Capita £14 million on 15 October 2025, the ICO found that personal data had not been adequately protected prior to the attack. Specifically, it determined that inadequate security penetration testing, insufficient security operations center staffing and poor administrator access controls created a “foreseeable and avoidable risk which was exploited by the threat actor.”

While the ICO acknowledged that implementing these measures could be costly and time-consuming, it did not accept these challenges as an explanation for security shortcomings. Organizations with substantial resources (or those handling high-risk data) may want to consider the ICO’s high expectations for proactive and robust cybersecurity risk handling.

Both decisions extensively cite guidance from the UK National Cyber Security Centre (NCSC) in determining what…

Source

More Stories

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06
Franklin Student is a Cyber Security Champ at Bridgewater State

Franklin Student is a Cyber Security Champ at Bridgewater State

Staff Editor 2026-06-06
CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy