In 2022, the ICO fined Tuckers Solicitors £98,000 for neglecting security requirements mandated by UK GDPR. Then later in the year, the ICO turned up the heat by fining the construction firm Interserve £4.4m over its failure to protect its employees’ data from cyberattacks. The Information Commissioner said companies should “expect a similar fine from my office” if they fail to put proper protections in place. These examples should serve as a reminder to all organisations, particularly those in professional services, that they must comply with their legal duties to protect personal data.
So here is a short reminder of some basic legal obligations.
1. The organisation must conduct a cybersecurity risk assessment – which involves an assessment/analysis of the security risks related to the holding and use of any personal data. Some elements it must cover include – the security of your technology, the way it is accessed, where data is held and how it moves around the business, the nature and sensitivity of the data concerned, the people using it, the third parties who you allow to access/process it, the security policies in place (or not), and much more.
Completing this will involve technical assessments. However, it is important to identify the non-technical vulnerabilities too, in order to gain a proper understanding of your risks. And because of point 5 below, your risk assessment should be documented. Do not assume your IT support have this covered. Cybersecurity is a specialist, independent discipline. As regards the technical side, the ICO states “This is a complex technical area that is constantly evolving, with new threats and vulnerabilities emerging.” Consequently, to determine the potential risks, a risk assessment must be performed by someone with extensive knowledge of cyber risk management and an understanding of current methods of attack in your sector, as well as how to protect against them.
2. After you have done this (and ONLY after you have done this), you must implement appropriate technical and organisational measures in order to protect the personal data and the security of its use and the systems themselves. You must take step 1 before assessing which measures are necessary to control the identified risks. The ICO are clear on that point.
The measures must include 3 key areas.
Technology. This requires controlling the technical risks and vulnerabilities identified. There is lots to consider here. Examples include encryption of data, multi factor authentication, configuring firewalls and backups, making sure individual devices are secure (including BYOD), managing remote access to networks and cloud applications, configuring alert systems (are they even switched on?), updating software – these are some of the ways to improve technical security. There is a whole raft of other things.
The ICO noted that Cyber Essentials (and therefore CE Plus which is no more than an audited version of CE) was a “base” set of controls, and in the Tuckers case, stated that given the nature of the personal data involved, the security should have “surpassed” those basic requirements. Professional service firms who deal with confidential data and information should be aware that CE certification does not provide adequate protection and this case should serve as a warning.
People. This consists oftraining staff, and building what the ICO calls “a culture of security awareness within your organisation”. And due to point 3 below, you need to test/assess the effectiveness of your training. Carrying out simulated phishing attacks is one way to do this.
Governance. Your risk assessmentwill help identify which policies you need, procedures for employees to follow, and the systems/arrangements necessary to check your organisational controls/measures are and continue to be, effective.
3. You must have a process by which you can regularly test, assess and evaluate the effectiveness of the measures you put in place. Which is why compliance with the law is not a one off test. In this context, the ICO refers to vulnerability scanning as a way to “stress test” technology.
4. UK GDPR creates a robust reporting and enforcement regime. Depending on the precise circumstances, you are required to report incidents to the ICO and to those whose data is involved in the breach (clients/customers). If a business has not been following their obligations, the ICO can issue hefty fines which are irrecoverable through insurance policies. They will also assess the adequacy of the technical and organisational security measures which the firm had in place when deciding the penalty. In the Tuckers case, the ICO said that the starting point for their negligent security breach was 3.25% of annual turnover. Remember also, that individuals affected by a breach can claim compensation.
Other consequences may be more serious. In Q1 of 2022, the average downtime after a ransomware attack was 26 days, and it can take many months for a business to restore normal functionality. The average ransom payment was estimated to be £628,000, but it can run into millions. Reputation and client relationships can be ruined.
5. All businesses are required to prove their compliance with all of the legal obligations above, which is why they must have a way of recording/documenting their actions.
Professional regulatory requirements.
All regulators of professional service businesses expect compliance with the law, as well as adherence to separate regulatory responsibilities including the duty to report breaches. Those obligations are not limited to personal data.
In Tuckers, the ICO highlighted certain provisions of the Solicitors Regulation Authority’s Code of Conduct including paragraph 2.1a (the need for effective governance structures, arrangements, systems and controls for compliance with regulation and law); para 2.5 (identify, monitor and manage all material risks to your business); para 3.1 (keep up to date with and follow law and regulation); para 5.2 (safeguard money and assets [including documents] entrusted to you by clients and others); as well as referring to other relevant guidance issued by the SRA. The failure to meet those standards of the Code was regarded as an aggravating factor.
This has implications for other regulated professions. In the context of a breach relating to ICAEW members, one can expect the ICO to scrutinise (for example) ICAEW Code of Ethics, including 110.1 A1 Fundamental Principle (c) (Professional Competence and Due Care) and related R113 (competent professional service based on current standards and relevant legislation); Fundamental Principle (d) (Confidentiality) and related R114 (to take all reasonable steps to preserve confidentiality, and being alert to the possibility of disclosure); Fundamental Principle (e) (Professional Behaviour to comply with relevant laws and regulations) and related R115; industry standards of good practice, and all other guidance issued from time to time, including that issued by ICAEW, the ICO and NCSC.
UK GDPR and professional service regulators impose security obligations for good reasons. And there are good security reasons to observe them beyond mere compliance. Serious cybersecurity breaches are not acts of God. Leaders who do not ensure the right protective measures are in place, are falling behind, letting their clients down, and putting their business and the financial interests of those they work with at risk.