The ICO issued a Penalty Notice under Section 155 of the Data Protection Act 2018 (DPA) to Tuckers Solicitors LLP. The ICO has the power to fine organisations, that are found to be in breach of the UK GDPR. Such power is derived from Article 83 of the UK GDPR, which sets out what considerations the ICO as a supervisory authority should take into account when issuing a fine.
Tuckers became aware of a ransomware attack on its systems on 24 August 2020 when parts of its IT system became unavailable. Upon investigation, its IT staff identified a ransomware note from the attacker stating that they had compromised Tuckers’ system. On 25 August 2020, Tuckers submitted a personal data breach notification to the ICO.
When conducting its investigation, the ICO determined that Tuckers had failed to implement the appropriate technical and organisational measures over some or all of the relevant period, which rendered it vulnerable to the attack.
The attack resulted in the encryption of 972,191 individual files of which 24,712 were Court bundles. Following the attack, 60 of the Court bundles were extracted by the attacker and published on the dark web.
These bundles included documents such as medical files, witness statements, names, and addresses of witnesses and victims together with the alleged crimes of the individuals. The bundles, therefore, contained both personal and sensitive data.
What should you be doing as a processor to protect the personal data you process?
The UK GDPR and the DPA set out various obligations in relation to the processing of personal data, by way of Article 5(2) data controllers are obliged to adhere to the processing principles as set out within Article 5(1). Within these principles, data controllers have a duty to ensure that the data being processed is secure. The principles that relate to the security of data are as follows:
- Article 5(1)(f) – Integrity and Confidentiality – Personal data should be processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This should be achieved by using the appropriate technical or organisational measures.
- Article 5(1)(e) – Storage Limitation – Personal data shall be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Article 32 of the UK GDPR specifically relates to the security of processing and confirms that the controller and/or processor should implement appropriate technical and organisational measures to ensure that a level of security is achieved that is appropriate to the risk. Where appropriate, organisations should consider the pseudonymisation and encryption of personal data and should ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
What was decided?
The ICO accepted that the primary culpability of the incident rests with the attacker however, Tuckers did not have in place the relevant security measures and therefore gave the attacker a weakness to exploit.
Tuckers were therefore found to be in contravention of Article 5(1)(f). Given the volume and nature of the personal data being processed, it was found that the breach was sufficiently serious to justify enforcement action. Tuckers were issued with a Monetary Penalty Notice as a result and a fine of £98,000.00 was imposed.
If you think you have been affected by a data breach, it is important to seek expert legal advice as soon as possible.