In the recent decision concerning the UK law firm Swinburne, Snowball and Jackson (“the law firm”) the UK Information Commissioner’s Office (“the ICO”) issued an official reprimand with regard to various infringements of UK GDPR security provisions committed by the law firm and also expressed its concerns about the firm’s late reporting to the ICO. This article sets out highlights of the decision.
What’s the factual background?
According to the ICO:
- An attacker apparently compromised an employee Outlook email account through a spear phishing attack and interfered with payments to certain beneficiaries. After the law firm’s bank got in contact on 14 January 2021 four fraudulent payments were identified (the total amount is redacted in the decision); and,
- An independent cyber security firm apparently identified the first malicious sign-in as having occurred on 11 January 2021 – the account password was changed on 15 January 2021; and,
The law firm apparently reported the matter to its insurers and the Solicitors Regulation Authority on 15 January 2021. The law firm then notified the ICO on 26 January 2021, which was twelve days after which the law firm had “confirmed it had a reasonable degree of certainty the security incident had led to a personal data breach”.
What were the ICO’s findings?
The ICO’s findings were as follows:
- The breach apparently involved a large sum of money which resulted in a delay in the payments to the beneficiaries in question of twenty-one days;
- The law firm apparently did not have a suitable contract in place with its IT provider which defined security responsibilities or the level of security required. The law firm was therefore unable to demonstrate if, or how, preventative, detective or auditing measures were implemented concerning its email accounts;
- The law firm apparently did not have multi-factor authentication in place for the affected email account – apparently the law firm told the ICO that this had not been suggested by its IT contractors beforehand – the law firm has apparently since implemented multi-factor authentication; and,
- The law firm apparently started, but did not complete, accreditation to the National Cyber Security Centre’s (“NCSC”) “Cyber Essentials” scheme (a government supported scheme designed to help businesses protect against basic cyber-attacks through self-assessment – for more information see here: https://www.ncsc.gov.uk/cyberessentials/overview).
What did the ICO conclude?
The ICO concluded as follows:
- The law firm failed to comply with Article 5(1)(f) of UK GDPR, which requires personal data to be processed securely, and Article 32(1)(b) of UK GDPR, which requires appropriate measures to be in place to ensure a level of security appropriate to the risk and ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The remedial steps undertaken by the law firm concerning the incident, including the law firm’s prompt notification to affected individuals, the fact that the law firm commissioned a third party cyber security firm to investigate and report on this incident and liaised with its IT consultants for advice and assistance with remedial measures, were all taken into consideration by the ICO; the ICO also noted that the law firm’s clients were also all repaid in full (on 3 February 2021).
The ICO therefore issued the law firm with an official reprimand under Article 58(2)(b) of UK GDPR (for the full Article 58 see here: https://www.legislation.gov.uk/eur/2016/679/article/58).
Did the ICO make any recommendations?
The ICO made the following official recommendations (in line with Article 5(1)(f) and Article 32(1)(b) of UK GDPR) to the law firm:
“1. Ensure senior management are accountable for the security of its personal data processing, and information security is regularly assessed in line with known threats.
- Perform regular reviews of user privileges and enable strong authentication for any remote access into the network or internet facing services, such as cloud services. The NCSC’s introduction to identity and access management guidance includes useful advice on privileged user management.
- Consider the creation of a separate and formal password policy which directs users to appropriate levels of access controls. The NCSC’s Password administrator for system owners guidance will provide support in implementing appropriate password strategies.
- Implement measures to reduce the risk of social engineering attacks, such as anti-spoofing measures. The NCSC’s Phishing Attacks: Defending your organisation guidance will provide support in implementing controls to prevent phishing attacks.
- Deliver data protection training, with reference to cyber security, to all employees on a regular basis and evaluate the methods of control, delivery and monitoring of such training. Also regularly raise awareness of data protection, information governance and associated policies and procedures.
- Determine and communicate security requirements to a supplier and formalise responsibilities within a contract. As part of this, establish how to seek assurances a supplier has implemented appropriate levels of security. The NCSC supply chain security guidance provides practical examples of how to manage security within a supply chain.
- Conduct regular assessments of security controls to ensure they are achieving their intended outcomes.”
It should be noted that the ICO stated that the measures set out above are suggestions and not a regulatory requirement for the law firm to implement.
What did the ICO decide about the late reporting?
In the event of a personal data breach there is a requirement under UK GDPR to report the breach to the ICO within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of an individual.
According to the ICO, the ICO understood from the law firm’s breach report that the law firm “was initially unaware of the 72 hour deadline and focused primarily on identifying and containing the damage caused by the breach. [The law firm] further explained it was a small practice and had taken action to report to the [Solicitors Regulation Authority] and insurers within 24 hours.”
The ICO pointed out however that “if a reportable personal data breach occurs, it must be reported to [the ICO] without undue delay and no later than 72 hours of becoming aware of it”, and, “in instances where all of the information regarding a breach cannot be initially provided, [UK] GDPR allows a data controller to report the breach and provide information in phases.”
The ICO concluded that “We are concerned to note that the law firm [was] not immediately aware of the reporting requirements under [UK] GDPR. [The law firm] should therefore ensure all staff are appropriately trained in this area, especially those responsible for overseeing [the] organisation’s data protection obligations.”
What are the takeaways?
The takeaways are that organizations (and not just law firms) should consider:
- Reviewing their systems to ensure that they keep data secure, including putting in place measures such as multi-factor authentication and getting accreditation with the NCSC’s Cyber Essentials, if these are not already in place;
- Having in place a contract with an IT service provider that ensures IT security of personal data – do due diligence on prospective IT service providers;
- Reviewing their policies, processes and procedures to ensure that breaches can be reported within the 72-hour reporting deadline – sadly the reality is that a breach is most likely a question of “when” and not “if”, so be prepared for them (i.e. not just one) all round;
- Training staff on keeping personal data secure and what to if things go wrong including reporting requirements (internally – speak up – and to the ICO);
- Ensuring that everyone in the organization, including senior management or the board are aware of data protection risks including those concerning security breaches; and,
- Checking what insurance is in place to cover data protection infringements, including breaches.
We previously reported on another law firm’s data breach (a ransomware attack, which resulted in a fine imposed by the ICO of £98,000) here: https://www.corderycompliance.com/law-firm-gdpr-breach-fine/.
We report about data protection issues here https://www.corderycompliance.com/category/data-protection-privacy/.
The ICO’s decision can be found here: https://ico.org.uk/action-weve-taken/enforcement/swinburne-snowball-and-jackson/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|