So here is a short reminder of some basic legal obligations.
1. The business must undertake a cybersecurity risk assessment – that is, an assessment/analysis of the security risks involved in the holding and use of any personal data. It must cover many elements – the security of your technology, the way it is accessed, where data is held and how it moves around the business, the nature and sensitivity of the data concerned, the people using it, the third parties who you allow to access/process it, the security policies in place (or not), and much more.
Doing this will of course include technical assessments. But it also needs to identify all vulnerabilities, not just technical ones and give you visibility of your risks. And because of point 5 below, your risk assessment should be documented. It is a specialist job – and different to IT support. In respect of the technical side, the ICO says “This is a complex technical area that is constantly evolving, with new threats and vulnerabilities emerging.” Which is why, to understand where the risks are, the risk assessment needs to be undertaken by someone with genuine cyber risk management experience, who is up to speed on the current methods of attack and knows how to defend against them.
2. After you have done this (and ONLY after you have done this), you must put in place appropriate technical and organisational measures properly to protect the personal data and the security of its use and the systems themselves. Unless you have first taken step 1, you cannot judge what are the appropriate measures to put in place to control the risks identified. The ICO are clear on that point.
The measures must include 3 key areas.
Technology i.e. controlling the technical risks and vulnerabilities identified. Examples include encryption of data, multi factor authentication, access controls, configuration of your email systems, configuration of firewalls, configuration of backups, security of individual devices (including BYOD), remote access arrangements to networks and cloud platforms, ensuring the right alerts are switched on, software is up to date, and a whole raft of other things.
It should be noted that the ICO describes Cyber Essentials (and therefore CE Plus which is just an audited version of CE) as a “base” set of controls, and in the Tuckers case, stated that given the nature of the personal data involved, the security should have “surpassed” those basic requirements. This should be a warning for all professional service firms handling confidential data who mistakenly believe that CE certification provides adequate protection.
People. This includes training staff, and building what the ICO calls “a culture of security awareness within your organisation”. And because of point 3 below, you must test/assess the effectiveness of your training. One way of doing this is to undertake simulated phishing attacks.
Governance – your risk assessment will help to determine exactly what policies you must have, together with the procedures for staff and others to follow, and the systems/arrangements you need to have in place to check your organisational controls/measures are and continue to be, effective (which includes regularly assessing risks). Some of this will be for all staff. Some will be for individuals within the organisation with responsibility for security. This can include all sorts of things from password management to incident response arrangements.
3. You must have a process for regularly testing, assessing and evaluating the effectiveness of the measures you put in place. Which is why compliance with the law is not a one off test. In this context, the ICO refers to vulnerability scanning as a way to “stress test” technology.
4. UK GDPR creates a robust reporting and enforcement regime. This requires, depending on the precise circumstances, for incident reporting to the ICO and also to clients/customers whose data may have been compromised. The ICO can impose very significant fines (and publish the details) on businesses which have failed to comply with obligations (and fines are not recoverable under insurance policies). In deciding the fine, they will look to see what technical and organisational security measures the business had actually put in place. In the Tuckers case, the ICO said that the starting point for their negligent security breach was 3.25% of annual turnover. Bear in mind that in addition to this, individuals affected by a breach are entitled to compensation.
Of course the greatest cost and damage following a breach is usually in disruption (the average down time in 2021 was 21 days but is frequently more); ransom payments (the average ransom payment in 2021 was £628,000 but can run into millions); and the destruction of reputation and client relationships.
5. All businesses must be able demonstrate compliance with all of the above legal obligations, which is why they must have a way of documenting what they have done.
As a separate matter, legal practitioners ought to think about the interesting relationships which exist between instructing solicitors (some of whom are now freelance), chambers, and self employed barristers, to ensure the correct data controller/ data processor contractual arrangements are in place.
Professional regulatory requirements.
All regulators of professional service businesses expect compliance with the law, as well as adherence to separate regulatory responsibilities including the duty to report breaches. Those obligations are not limited to personal data.
In Tuckers, the ICO highlighted certain provisions of the Solicitors Regulation Authority’s Code of Conduct including paragraph 2.1a (the need for effective governance structures, arrangements, systems and controls for compliance with regulation and law); para 2.5 (identify, monitor and manage all material risks to your business); para 3.1 (keep up to date with and follow law and regulation); para 5.2 (safeguard money and assets [including documents] entrusted to you by clients and others); as well as referring to other relevant guidance issued by the SRA. The failure to meet those standards of the Code was regarded as an aggravating factor.
This has implications for other regulated professions. In the context of a chambers breach, one can expect the ICO to scrutinise (for example) the BSB Handbook CD 6 (confidentiality); CD 10 (managing the practice competently and in compliance with legal and regulatory obligations); rC89.5 (proper arrangements for ensuring the confidentiality of clients’ affairs); gC134.1 (putting in place and enforcing adequate procedures for protecting confidentiality); gC134.2 (complying with data protection obligations imposed by law); gC134.4 (to take account of other BSB guidance); the Information Security guidance issued by the General Bar Council in January 2021; and the recent Information Security Questionnaire agreed by the Law Society and Bar Council.
There are good reasons for the security obligations imposed under UK GDPR and by professional service regulators. And there are good security reasons to comply with them beyond mere compliance. Leaders who ignore them are lagging behind and are putting their partners’ and colleagues’ business and financial interests at risk. Because a serious cyber breach can have devastating consequences.