The Information Commissioner's Office issued two significant enforcement notices this year that have been read more carefully by data-protection lawyers than by the boards they apply to. This is a mistake worth correcting before the next breach.

Capita was fined £14m for the 2023 incident affecting some 6.6 million individuals. Advanced Computer Software was fined £3.07m for the 2022 LockBit attack on its healthcare arm. The totals are themselves notable — the largest UK cyber-related fines on record — but they are not what makes the two notices important.

What makes them important is what was being punished.

What was actually fined

Neither notice fines the breach. Both notices fine the security failings that preceded the breach.

This is a meaningful distinction. Older ICO enforcement tended to focus on the response — how quickly the breach was notified, how quickly affected individuals were informed, how clearly the firm communicated to the public. The 2025 notices reach further back. They cite the controls that were absent, inadequately tested, or not credibly evidenced before the attack started.

For Capita, the central findings included inadequate vulnerability management, insufficient privileged access control, and security testing arrangements that did not cover the parts of the environment most exposed to attack. For Advanced, the findings included insufficient access control, insufficient patch management, and an MFA posture that did not extend to the segments that attackers actually reached.

The pattern across both is the same: what was being assessed was what the firm had in place on the day before the breach started. The breach itself was the trigger for the investigation, not the substance of the finding.

The personal accountability angle

The enforcement direction the ICO is moving in does not, on its own, name the senior responsible person. But it is consistent with a wider regulatory direction of travel. The SEC's civil fraud charges against Tim Brown over the SolarWinds disclosures in late 2023 set the precedent in the US that the senior security officer is personally accountable for the accuracy of public statements about controls. The ICO has not yet gone there in the UK. The conditions for it to do so are now in place. Boards that read the 2025 enforcement notices and conclude this is a corporate fine, not a personal one are reading the present correctly and the near future incorrectly.

What "adequate security" means in evidence

The GDPR text uses the phrase "appropriate technical and organisational measures". For years, that phrase was treated as aspirational — a target to demonstrate movement toward, not a standard to be measured against.

The 2025 notices read it differently. The ICO now appears to assess "adequate security" by reference to:

This is not a checklist. It is closer to a litmus test. The question the regulator is now asking is: if you had been asked, on the day before the breach, to explain why the controls you had in place were adequate — could you have done it credibly? For both Capita and Advanced, the answer the ICO reached was no.

The defensible-position shift

For most of the last decade, the defensible position after a breach was "we responded well". Communications were prompt, regulators were notified within seventy-two hours, affected individuals were contacted, remediation was funded. This is still necessary. It is no longer sufficient.

The new defensible position is "we can demonstrate the controls we had in place beforehand, with evidence". These are not the same exercise. The first is a function of incident response capability. The second is a function of governance discipline — of board oversight, of internal audit, of the executive having received and signed off on credible assurance work in the months before something went wrong.

The shift is significant because it changes who is exposed. The CIO and CISO own the first defensible position. The board owns the second.

What good evidence looks like

Three properties seem to matter most, based on the language the ICO is using.

Contemporaneous. The controls were demonstrably in place at the time, not retrofitted in the response. Logs, audit trails, configuration management records, test results.

Independent. Someone other than the team that operates the control has assessed it. Internal audit, external assurance, penetration testing, regulatory inspection.

Specific. The evidence speaks to the actual environment the breach affected, not to a generic enterprise reference architecture. "We have MFA" is not evidence. "We have MFA on the following 47 systems including the one that was compromised" is evidence.

Firms that can produce evidence with these three properties on demand will have a meaningfully different conversation with the ICO post-incident than firms that cannot.

For boards

Three questions worth putting to the CISO before the next breach happens, not after.

If we were investigated by the ICO tomorrow following a notional breach, what evidence could we produce of our security controls in the period immediately before the notional incident? Show me a sample. The right answer should fit on a single page and be immediately understandable.

Of the controls we rely on, how many can the audit committee chair name, and how many of those have been independently tested in the last twelve months? If the gap between the two numbers is large, that is the work.

If the ICO concluded that we were a closer fit to the Capita pattern than to a defensible one, what would the fine look like in our case — and have we modelled the financial exposure? This is now a quantifiable risk, not an abstract one.

The closing observation

The ICO has not changed the law. It has changed what evidence it expects to find when it investigates. The shift has happened. Most boards have not yet noticed it has happened. The next round of enforcement — and the South Staffordshire investigation is rumoured to be in late drafting — will make the new posture more public.

Firms that get ahead of the shift will be the ones whose evidence on the day reads as already adequate. Firms that do not will be the ones reading the next enforcement notice and recognising themselves.