The Bottom Line
- Cybersecurity standards are not about perfection. The Court has reinforced that “appropriate” security measures are judged against the standards and threats known at the time, not with the benefit of hindsight after a novel attack.
- Regulator’s fines face tougher scrutiny. This judgment provides businesses with a stronger precedent to challenge the ICO’s findings, particularly where a sophisticated and unforeseeable cyber-attack was the cause of a breach.
- Documented risk assessments are your best defence. The ruling underscores the critical importance of being able to demonstrate a considered, documented, and reasonable approach to cybersecurity, which can be more persuasive than simply the fact a breach occurred.
The Details
This landmark case originated from a significant cyber-attack on DSG Retail’s systems, which compromised a large volume of customer data. Following an investigation, the Information Commissioner (ICO) imposed a substantial monetary penalty, concluding that the retailer had failed to implement appropriate technical and organisational measures to protect personal data as required by law. DSG appealed the penalty, arguing that its security protocols were reasonable and in line with industry standards at the time, and that the breach was the result of a highly sophisticated criminal attack that could not have been reasonably anticipated.
The Court of Appeal has now sided with DSG Retail, overturning the ICO’s penalty. In their reasoning, the judges clarified the legal test for “appropriate” security. They held that the regulator had erred by applying a standard of protection with the benefit of hindsight. The Court stressed that the law does not require a data controller to be immune to all possible attacks. Instead, compliance must be assessed based on the specific risks the company identified, the technology and practices available at the time, and the proportionality of the cost of implementing further measures.
The commercial implications of this judgment are significant. It serves as an important check on the ICO’s enforcement approach, pushing back against a potential assumption that a data breach automatically equals a legal failure. For CEOs and their legal counsel, the ruling is a clear signal: while robust investment in cybersecurity remains essential, the focus must also be on creating a defensible, well-documented security posture. This decision empowers businesses to argue that they took all reasonable steps, providing a more nuanced and realistic framework for assessing liability in an age of ever-evolving cyber threats.
Source
Court of Appeal (Civil Division)
