The EU General Data Protection Regulation came into force in May 2018. As a result of Brexit, a UK version of GDPR was introduced by the Data Protection Act 2018. Yet five years on, awareness seems low among small and medium-sized businesses, including law firms.

Patrick Wheeler

Patrick Wheeler

Most businesses know that if they have a website, they need a privacy and a cookie notice to explain to users how their data will be processed. What seems to be less understood is the fact that these notices are key customer/client interfaces for the business that need to be kept fully up to date and carefully tailored to the individual collection and uses of personal data.

Also, businesses need to take appropriate steps to protect the security and integrity of the personal data which they process. Article 5(1)(f) of the UK GDPR states that data must be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’. Article 32(1)(b) requires that appropriate measures are in place to ensure a level of security appropriate to the risk the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

This matters because if a business gets it wrong they can expect enforcement action to be taken by the Information Commissioner’s Office (ICO). Such action can include published reprimands and fines. There is also an obligation under Article 33 to self-report data breaches to the ICO, without undue delay, but not later than 72 hours after becoming aware of it. This is a tight deadline, in particular if a data breach is discovered on a Friday evening, for example.

In February 2022, the ICO imposed a fine of £98,000 on law firm Tuckers, which had been subjected to a ransomware attack and parts of its IT system became unavailable. The attack resulted in the encryption of civil and criminal legal case bundles stored on an archive server. Backups were also encrypted by the attacker. While the attack only related to an archive server rather than the live server, a significant number of personal data records were compromised. Nearly one million individual files were encrypted.

Although the data breach was the result of an external hack rather than any positive action by the firm, the ICO noted that security measures were inadequate. In particular, Tuckers did not use multi-factor authentication (MFA) for remote access to server and files. It had also failed to update software with relevant patches as they had been issued by software providers. The ICO also noted a failure to encrypt personal data. Despite Tuckers having reported the breach promptly and taken steps to mitigate the damage suffered by data subjects, the ICO considered that the breach was serious enough to warrant a fine which represented 3.25% of Tuckers’ annual turnover to 30 June 2022. A very big deal indeed.

While commentators have expressed surprise at the severity of the sanction, the ICO considers that compliance with UK GDPR should by now be clearly understood and applied by businesses of whatever size and nature. Compliance can be proportionate to the size and nature of the business, but senior management should always be aware of the obligations and ensure that all staff have appropriate training to minimise the risk of a breach.

On 9 August 2023, the ICO issued a formal reprimand to Swinburne, Snowball and Jackson (SSJ), which has been published on the ICO website. SSJ was subjected to a spear phishing attack on an employee email account where a fraudster impersonated a staff member. The fraudster interfered with payments to beneficiaries of a probate matter. As soon as it became aware of the situation, SSJ reported the matter to its personal data insurers and the SRA. It also informed the individuals affected by the breach. However, it did not report the matter to the ICO until 12 days after the incident. As noted, significant data breaches are required to be reported to the ICO within 72 hours. SSJ claimed to be unaware of this requirement.

The ICO noted that SSJ did not have a suitable contract in place with its IT provider that defined security responsibilities of the level of security required. It also noted that SSJ did not have MFA for the affected email account. Furthermore, it had started, but not completed, an application for accreditation under the National Cyber Security Centre’s Cyber Essentials certificate programme, which is a recommended security measure.

The ICO acknowledged that prompt action to address the breach had been taken and that although there was a delay in payment, the beneficiaries of the probate did not lose money. It therefore concluded that a fine would not be the appropriate penalty. It instead issued a formal reprimand, published on the ICO website, that the firm had been processing personal data in non-compliance of articles 5(1)(f) and 32(1)(b)). The ICO then issued a set of seven recommendations:

  1. Ensure that senior management are responsible for the security of personal data processing and the security should be regularly assessed in line with known threats.
  2. Perform regular reviews of user privileges and apply strong authentication of any remote access (such as MFA).
  3. Consider the creation of a separate and formal password policy that directs users to appropriate levels of access controls.
  4. Implement measures to reduce the risk of social engineering attacks, such as anti-spoofing measures.
  5. Deliver data protection training (including on cybersecurity) to all employees on a regular basis, and evaluate the methods of control, delivery and monitoring of such training.
  6. Determine and communicate security requirements to IT suppliers and formalise responsibilities within a contract.
  7. Conduct regular assessments of security controls.

It is well-nigh impossible to eliminate the risk of a data breach, but by training staff and taking sensible and proportionate security measures, firms can significantly reduce the risks and be well prepared to respond should the worst happen.

 

Patrick Wheeler is head of data protection at Collyer Bristow and committee member of the London Solicitors Litigation Association (LSLA)