Tucking into ransomware; the ICO turns to the legal profession

The ICO’s Monetary Penalty Notice against Tuckers

The impact of a security breach in terms of first party costs and third party exposures has been explored; what has not been widely understood is the financial impact of regulatory intervention. The Information Commissioner has just announced that it has issued Tuckers Solicitors a monetary penalty under section 155 of the Data Protection Act 2018 (“the DPA”) following a ransomware attack . The penalty notice imposes an administrative fine of £98,000 on Tuckers, in accordance with the Commissioner’s powers under Article 83 of the General Data Protection Regulation 2016 (“the GDPR”).

Given that ICO fines are relatively rare in the context of the number of notified breaches, it is instructive to examine the rationale behind the imposition of the monetary penalty notice. Undoubtedly a significant factor was the sensitive nature of the data which was impacted by the ransomware attack and encrypted. In total, over 900,000 files were encrypted, of which approximately 24,000 were court bundles. 60 of those were published in the dark web by the threat actor. The data included material relating to the most serious of crimes, including rape and murder, and sensitive data relating to vulnerable individuals including children.

The principal areas of criticism were:

• Failure to implement multi factor authentication (MFA), described by the ICO as a comparatively low cost preventative measure, particularly bearing in mind the sensitive level of data processed by Tuckers;
• Failure to implement patching in accordance with industry guidance including ISO27002 and the NSCS Cyber Essentials recommendations (which recommend that patches rated as “high” or “critical” should be applied within 14 days); and
• Failure to encrypt personal data following “appropriate technical measures”.

Implications; insurance, regulatory and claims

The nature of the criticisms, which refer to Tuckers’ “negligent practice” raises potential coverage issues in the context of any professional indemnity and/or cyber insurance policies; implementation of MFA and adherence to industry standards (and in particular with regard to patching) are issues which cyber insurers are already raising at the proposal stage. The introduction of the cyber exclusion wording into the SRA’s Minimum Terms and Conditions (MTC), which sets out the extent to which cover is available under the MTC for cyber-connected exposure, should mean that law firms should be considering with their brokers whether bespoke cyber cover needs to be purchased, if not already in place.

As part of its deliberations, the ICO considered the SRA’s “Code of Conduct for Firms”, and concluded that Tuckers had failed to meet the standards set out relating to effective governance structures, arrangements, systems and controls. It also referenced repeated warnings and guidance from the SRA to the profession on the need for such effective systems and the steps available to guard against the prevailing risk.

The SRA’s requirement for effective systems and controls means that there is potential in such circumstances for a law firm to face regulatory attention from two regulators. The ICO notice explains that it relates back to first awareness on the part of Tuckers in August 2020. SRA guidance has identified the potential need to report to the ICO and the SRA, and whilst there may be regulatory overlap, there are also differing remits and responsibilities.

Whilst Tuckers informed data subjects that they assessed were likely to be at a high risk of harm, in accordance with its obligations under Article 34 GDPR, it is fair to assume that many of Tucker’s clients (and those who may have been involved in cases where Tuckers were advising another party) will only have been alerted to the ransomware attack now that the ICO fine has been published. There is a risk that some will come forward with compensation claims, which will need to be dealt with, regardless of merit.

Summary

While the amount of the monetary penalty is not particularly high, considering how high some penalties can be, it is worth bearing in mind that one of the mitigating factors taken into account by the ICO is the size and resources of the organisation. The penalty is stated to be “effective, proportionate and dissuasive”. In other words, a larger law firm who fails to implement safeguards to the same extent can expect a much larger fine. It is worth emphasising that the financial consequences of an ICO fine go beyond the fine itself, as it is likely to have wider financial consequences in terms of insurance coverage, regulatory activity and liability claims.

Wider ramifications may include the increasing concern of the professional indemnity insurance market of risks arising out of cyber exposures, especially as the cyber exclusion wording makes clear the extent of coverage that remains available under the MTC. The notice emphasises the expectation that a law firm should not be processing personal data on “an infrastructure containing known critical vulnerabilities without appropriately addressing the risk.” It also noted that the Lexcel accreditation which Tuckers had achieved covered Cyber Essentials. Law firms should accordingly recognise the increasing focus that may be placed on the security of systems and controls on professional indemnity insurance renewals.

Patrick Hill, Philip Murrin and Jonathan Hopkins are members of DAC Beachcroft’s Professional & Financial Lines team, based in London.