Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

IT systems left unsupported create risk of data breach, warns watchdog

The longer that businesses leave IT systems unsupported the more likely they are to be issued with a fine for a data breach, the UK's data protection watchdog has said.08 Apr 2014

The Information Commissioner's Office (ICO) has warned businesses to ensure that the personal data they are responsible for is not left exposed to security vulnerabilities in IT infrastructure.

The warning has been issued as Microsoft brought to an end the "extended support" it offered for its Windows XP and Office 2003 products on 8 April. The Crown Commercial Service has announced that it has signed a deal with Microsoft to "maintain critical and important security updates" for the software on behalf of all public sector organisations in the UK over the next year.

"It is important to remember that this is not a unique situation," Dr Simon Rice, the ICO’s technology group manager, said. "Organisations regularly end support for their older products. And those with supported systems still need to be vigilant, as vulnerabilities will be discovered over time."

"As a responsible data controller, it is your organisation’s responsibility to make sure you have the measures in place to keep people’s details safe. Anyone using either of these two products must consider their options and ensure that personal data is not unduly placed at risk. Failure to do so will leave your organisation’s network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented," he added.

Under the Data Protection Act (DPA) data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Businesses that fail to meet this standard risk being fined up to £500,000 by the ICO if there is a serious personal data breach.

The ICO confirmed to Out-Law.com that, in the case of a data breach stemming from an unsupported IT system, the length of time that that system has been left without upgrades would be a factor in determining whether and to what extent businesses would be subject to enforcement action under the DPA.

"If a data breach occurred that could have been prevented had the organisation been using a supported system then we would take this into account when deciding whether further action was required," an ICO spokesperson said. "Unsupported systems become more insecure as time passes, so we would also need to consider the length of time an organisation has been using an unsupported system and the reasons why as part of our decision making process."   

Join My Out-Law

  • See only the content that matters to you
  • Tailor Out-Law to your exact needs
  • Save the most useful content for later reading
  • Tailor our weekly eNewsletter to your interests

Join My Out-Law

Already signed up to My Out-Law? Sign in

Expertise in TMT & Sourcing

Pinsent Masons provides strategic and contractual advice to organisations across the public and private sectors.

More about TMT & Sourcing