In March this year, the Information Commissioner’s Office (ICO) fined Tuckers Solicitors LLP £98,000.
Tuckers had been hit by a ransomware attack that caused the encryption of almost one million files and the release of a small number of these onto the dark web. Ransomware attacks are criminal offences under the Computer Misuse Act. So why did Tuckers, the victim of a serious criminal act, end up being fined by the ICO?
The answer lies in the obligations placed on businesses by the UK’s data protection laws. Organisations that collect and use information about identifiable individuals (which is known as personal data) must comply with the data protection principles set out in the UK General Data Protection Regulation. These provide broad principles for good data handling, rather than very specific rules.
Security of data is key. The relevant data protection principle states that personal data must be used “in a manner that ensures appropriate security of the personal data … using appropriate technical or organisational measures.” There is a lot of flexibility in this principle. It isn’t an absolute obligation to keep personal data secure in all circumstances, which would be unrealistic and impossible to achieve. Instead, it requires organisations to take appropriate steps to ensure that personal data is kept securely.
In practice, businesses must make an assessment of the likely threats, the potential value of the data they hold and the sorts of security measures available. By way of analogy, think about the security of your house. You would certainly want to have working locks on the doors and valid insurance cover. If you had any particularly valuable items, you might want to take additional steps, such as using a lockable safe. In some circumstances, you might want to instal CCTV or even employ a security guard, but that wouldn’t be appropriate for every house.
Returning to Tuckers, the fact that personal data for which Tuckers was responsible fell into the wrong hands is not in itself evidence of a breach of data protection law. An organisation could have in place what appear to be perfect security measures, and yet still find itself a victim of a previously unknown or particularly sophisticated threat. Unfortunately for Tuckers, the ICO’s investigation found this wasn’t the case.
The ransomware attack affected Tuckers’ archive server. The attacker encrypted almost one million individual files, contained within 25,000 court bundles. These bundles contained personal data relating to thousands of individuals, and included sensitive information relating to criminal offences and allegations. Most damagingly, the attacker managed to download 60 court bundles that were later published on the dark web.
Tuckers acted straight away when they discovered the attack. As is required by data protection law, they informed the ICO within 72 hours, and later informed affected data subjects. They also informed the police, instructed third party investigators and took steps to contain the situation. Whilst all of these actions were appropriate after an attack of this nature, the ICO focussed its investigation on the period before the attack took place. Of course, it was the unknown attacker who was responsible for carrying out the attack. But, to continue the house analogy, had Tuckers left the front door unlocked?
The ICO looked at the security measures Tuckers had in place for the period from 25 May 2018, when the General Data Protection Regulation for took effect in the UK, to 24 August 2020, when the attack was discovered. Although the exact method used by the attacker was not identified, the ICO noted that Tuckers failed to apply a patch to a known system vulnerability for a period of five months after its release. Had the patch been applied promptly, the attack may not have occurred. The ICO also criticised Tuckers for failing to use multi-factor authentication for remote access to its systems and for failing to encrypt its archived files.
The use of multi-factor authentication and the need to apply security patches in a timely manner are both recommended by the National Cyber Security Centre (NCSC) and the Solicitors Regulation Authority (Tuckers’ regulator). The ICO noted that Tuckers’ own internal policies required all software and operating systems to be updated regularly. On encryption, the ICO found that given the highly sensitive nature of the personal data and the relatively low costs of encryption, Tuckers should not have been storing their archived files unencrypted. For all these reasons, the ICO found that Tuckers had failed to take appropriate steps to keep personal data secure, and fined them £98,000.
Most businesses are unlikely to be holding personal data that is quite as sensitive as Tuckers. However, there are important lessons from this case about the simple steps that all businesses can take to keep personal data secure. You should keep up to date with evolving threats, listen to (and act on) the advice of the NCSC and any sector-specific regulator, and make sure you always follow your own policies and procedures for keeping personal data secure. They may not stop an attack happening, but they could protect your business from a fine.