The UK Data Protection Authority, the Information Commissioners Office (ICO) announced yesterday that it had fined a law firm, Tuckers Solicitors LLP, on 28 February for GDPR breaches. Tuckers was fined £98,000 after being hit by a ransomware attack.
There are some technical GDPR terms used in this note which are explained at www.bit.ly/gdprwords.
Tuckers claim to be “the UK’s leading criminal defence lawyers” and according to their website, they specialise in criminal law, civil liberties and regulatory proceedings.
Tuckers became aware of the attack on 24 August 2020. A ransomware note was also delivered on the same day. On 25 August 2020, Tuckers told the ICO that their backups had also been encrypted by the attacker and as a result determined that the attack had resulted in a data breach. Tuckers explained to the ICO that the attack resulted both in the unavailability of personal data and in the loss of confidentiality. It is important to remember that unavailability of data also can constitute a data breach even if the data is not taken from the system (called in the trade exfiltration).
The attacker encrypted 972,191 files, of which 24,712 related to court bundles. 60 of those were exfiltrated by the attacker and released on the dark web. The files included both personal data and sensitive personal data (called special category data under GDPR).
Tuckers told the ICO that part of the reason for the attack was the late application of a patch to fix a vulnerability. In our experience, the fact the patches have not been applied is a common cause of ransomware attacks. Experience also shows that regulators are often unsympathetic when patches are not applied in time and then are used to mount an attack. The ICO was also critical of the fact that multi-factor identification (MFA) was not used to secure remote access to its servers. Again, in our experience, this is a frequent criticism from regulators.
What did the ICO say?
The ICO was concerned that Tuckers had failed to process personal data in a manner that ensured the appropriate security of the personal data. As we have said before, there is an obligation under GDPR to take appropriate technical and organisational measures (TOMs) to try and prevent data breaches happening. The investigation highlighted a number of concerns from the ICO over Tuckers’ compliance.
The ICO also took into account the fact that Tuckers had been assessed under the NCSC Cyber Essentials Scheme in October 2019 but that it had failed to meet the requirements of the scheme. It had not followed NCSC advice. The ICO said “the fact that some 10 months after failing Cyber Essentials, it had still not resolved this issue is, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations … when it failed its Cyber Essentials assessment, it should have quickly and promptly resolved the inadequacies. Had it done so, it could have demonstrated a much stronger approach to compliance and would have greatly reduced the likelihood of this personal data breach from occurring.”
The ICO was also concerned that some data which was the subject of the breach had been stored beyond the 7 year retention period that Tuckers had set.
The ICO did give Tuckers credit for the work that it had done after the breach including changes in its IT infrastructure and the implementation of MFA. It also engaged with City of London Police to put in place a system of mandatory training for employees under the City of London Police’s Cyber Griffin scheme. It also said that it was in the process of applying again for Cyber Essentials and then Cyber Essentials Plus. It said that it had also made considerable investment in new IT team members including third party specialists to beef up its security team and it planned regular penetration testing.
Tuckers does have the right of appeal. We do not know yet whether they intend to exercise that right of appeal. A significant number of organisations have appealed against GDPR fines and some of those appeals have been successful.
What about other regulations?
Tuckers are also regulated by the Solicitors Regulatory Authority (SRA). In January 2021, the SRA issued a warning about documents misusing the name of Tuckers. It is not known if this is connected to the ransomware incident or if the SRA are also investigating the breach. As a general rule, an increasing number of organisations are subject to more than one regulatory regime, whether that is because of their profession, because they hold financial services licences or because they are also subject to the NIS Directive (see https://www.corderycompliance.com/client-alert-nis-2-directive/). This can lead to additional challenges with coordinating response and reporting to different regulators.
The ICO has said in its Enforcement Notice that it believes that Tuckers has failed to comply with its SRA obligations.
What can organisations do to avoid this happening to them?
As we said in our alert in March 2020 (here www.bit.ly/cvransom) ransomware is on the rise and criminals are increasing the number and sophistication of attacks. Organisations need to strengthen their defences. That will include:
- Making sure that you act promptly on security concerns. Failing a security assessment or audit like Cyber Essentials is a clear red flag. If you ignore an assessment like this or pretend it never happened you’re asking for trouble. David Brent once said “If at first you don’t succeed, remove all evidence that you ever tried”. That’s unlikely to be a wise strategy when it comes to cyber security assessments.
- Making sure everyone in your organisation knows the risk. This will include key contractors too. Train for today’s risks not yesterday’s. We’re seeing more ransomware across our desks at the moment with the invasion of Ukraine. We’ve written about that specifically here with some additional recommendations here https://bit.ly/ukrwar
- When it comes to attacks like this think when not if. Prepare for a breach. Breaches are inevitable so preparation is key. This might include having good lawyers on standby since we know that the initial hours after a breach are crucial in successfully defending claims. This is also likely to include rehearsing a breach for example with a Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/).
- Putting the right TOMs in place to protect data. This will include things like MFA. It might also include tools like BlackFog to monitor your network and look for threats which have bypassed the firewall. You’ll also need to make sure you patch against known vulnerabilities promptly too.
- You may also want to consider your position on ransomware payments and agree a strategy in advance. We have a more detailed note looking at the ‘To Pay or Not to Pay’ considerations for ransomware here https://bit.ly/ransompay. Again that’s an area of heightened risk given the extension of the sanctions regime and recent action against cryptocurrency exchanges.
- Finally it is worth remembering that you’re unlikely to be able to insure this risk away – insurers are tightening up on coverage where ransomware is involved.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
There is more advice from NCSC on ransomware here https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|