New ICO fine reveals security must-haves

Viewpoints
March 11, 2022
2 minutes

As anyone who’s married or related to a lawyer can attest, we’re pretty much perfect people.  Well-adjusted, rarely stressed and with a keen sense of work-life balance.  That whole “let’s kill all the lawyers thing”?  I don’t predict a bright future for the guy(s) who wrote that.

But very occasionally lawyers get it wrong.  The UK ICO's latest GDPR fine is a case in point. 

Yesterday, the ICO announced that it had fined British criminal law firm Tuckers Solicitors over a ransomware attack that resulted in the encryption of 972,191 files, including nearly 25,000 relating to court proceedings.  The fine is fairly small – GBP 98,000 – and so unlikely to make too many headlines.  But the ICO’s penalty notice contains a number helpful pointers that discuss what it expects from controllers in order to meet their security obligations under the GDPR.

  • Multi-factor authentication. The ICO considered that MFA is a comparably low cost preventative security measure which Tuckers should have implemented — and the same would apply for other controllers that process sensitive personal data (or, really, any data).  So avoid basing access on a single user name and password, as this won't meet the requirements of Article 32(1)(b) of the GDPR.
  • Patch it up. Tuckers waited more than four months after a software patch was released before installing it, despite the patch being widely publicised (and free).  The ICO found that because of the sensitivity of the data in question, combined with the use of infrastructure containing known critical vulnerabilities, delaying the update meant that the firm had not ensured appropriate security of its data in line with Article 5(1)(f) of the GDPR.
  • Encryption, encryption, encryption. Whilst encryption may not have prevented the attack, the ICO noted that it could have helped to mitigate the risks to individuals by ensuring the confidentiality of the exfiltrated data.  In assessing what amounts to "state of the art" for the purposes of Article 32 of the GDPR, the ICO referenced the ISO and NIST standards, as well as its own guidance on encryption.  Where encryption is an industry norm — which is to say, most industries — it's likely that the ICO will look dimly on your failure to have it in place.

This may all sound like basic stuff – and, truth be told, it mostly is. But the Tuckers fine underscores the importance of getting the simple things right and keeping o' windy side of the law.