Cyber and data security – five legal obligations you should not ignore
In 2022, the Information Commissioner's Office (ICO) fined Tuckers solicitors £98,000 for neglecting security practices. Then later that year, the ICO fined the construction firm Interserve £4.4m over its failure to protect its employees’ data from cyberattacks.
These examples should alert all businesses, but especially those in the legal profession, to the need to comply with legal obligations imposed by UK GDPR for the security of all personal data they hold and process.
So here is a short reminder of some basic legal obligations.
1. Do a risk assessment
The business must undertake a cybersecurity risk assessment – that is, an assessment and analysis of the security risks involved in the holding and use of any personal data.
It must cover many elements, including:
- the security of your technology
- the way it is accessed
- where data is held and how it moves around the business
- the nature and sensitivity of the data concerned
- the people using it
- the third parties who you allow to access/process it
- the security policies in place (or not)
Doing this will, of course, include technical assessments. But it also needs to identify all vulnerabilities, not just technical ones, and give you visibility of your risks.
And because of point five below, your risk assessment should be documented.
It's a specialist job – and different to IT support. In respect of the technical side, the ICO says “this is a complex technical area that is constantly evolving, with new threats and vulnerabilities emerging”.
Which is why, to understand where the risks are, the risk assessment needs to be undertaken by someone with genuine cyber risk management experience, who is up to speed on the current methods of attack and knows how to defend against them.
2. Put measures in place
After you have done an assessment (and only after you have done this), you must put in place appropriate technical and organisational measures to protect the personal data and the security of its use and the systems themselves.
Unless you have first taken step one, you cannot judge what are the appropriate measures to put in place to control the risks identified. The ICO is clear on that point.
The measures must include three key areas:
- encryption of data
- multi-factor authentication
- access controls
- configuration of your email systems
- configuration of firewalls
- configuration of backups
- security of individual devices (including bring your own device (BYOD))
- remote access arrangements to networks and cloud platforms
- ensuring the right alerts are switched on, software is up to date and a whole raft of other things
In determining appropriate measures, regard should be given to relevant industry standards of good practice including the ISO 27001 series, the National Institute of Standards and Technology (NIST), and various guidance from the ICO, the National Cyber Security Centre (NCSC), the Solicitors Regulation Authority (SRA) and others.
The ICO describes Cyber Essentials (and therefore CE Plus, which is an audited version of CE) as a “base” set of controls and, in the Tuckers case, stated that given the nature of the personal data involved, the security should have “surpassed” those basic requirements.
This should be a warning for all professional service firms handling confidential data who mistakenly believe that CE certification provides adequate protection.
This includes training staff, and building what the ICO calls “a culture of security awareness within your organisation”.
Because of point three below, you must test and assess the effectiveness of your training. One way of doing this is to undertake simulated phishing attacks.
Your risk assessment will help to determine exactly what policies you must have, together with the procedures for staff and others to follow, and the systems you need to have in place to check that your organisational controls are effective (which includes regularly assessing risks).
Some of this will be for all staff. Some will be for individuals within the organisation with responsibility for security. This can include all sorts of things from password management to incident response arrangements.
3. Test and evaluate
You must have a process for regularly testing, assessing and evaluating the effectiveness of the measures you put in place. Which is why compliance with the law is not a one-off test.
In this context, the ICO refers to vulnerability scanning as a way to “stress test” technology.
4. Follow GDPR
UK GDPR creates a robust reporting and enforcement regime. This requires, depending on the precise circumstances, for incident reporting to the ICO and to customers whose data may have been compromised.
The ICO can impose very significant fines (and publish the details) on businesses which have failed to comply with obligations. Fines are not recoverable under insurance policies.
In deciding the fine, it will look to see what technical and organisational security measures the business had actually put in place.
In the Tuckers case, the ICO said that the starting point for the negligent security breach was 3.25% of annual turnover. Bear in mind that in addition to this, individuals affected by a breach are entitled to compensation.
Of course, the greatest cost and damage following a breach is usually:
- disruption – the average down time in 2021 was 21 days but is frequently more
- ransom payments – the average ransom payment in 2021 was £628,000 but can run into millions
- the destruction of reputation and client relationships
5. Document everything
All businesses must be able demonstrate compliance with all of the above legal obligations, which is why they must have a way of documenting what they have done.
As a separate matter, legal practitioners ought to think about the relationships which exist between instructing solicitors (some of whom are now freelance), chambers and self-employed barristers, to ensure the correct data controller and data processor contractual arrangements are in place.
Professional regulatory requirements
All regulators of professional service businesses expect compliance with the law, as well as adherence to separate regulatory responsibilities including the duty to report breaches. Those obligations are not limited to personal data.
In Tuckers, the ICO highlighted certain provisions of the SRA’s Code of Conduct for Firms including the following paragraphs:
- 2.1a (the need for effective governance structures, arrangements, systems and controls for compliance with regulation and law)
- 2.5 (identify, monitor and manage all material risks to your business)
- 3.1 (keep up to date with and follow law and regulation)
- 5.2 (safeguard money and assets [including documents] entrusted to you by clients and others)
The failure to meet those standards of the code was regarded as an aggravating factor.
This has implications for other regulated professions.
In the context of a chambers breach, we can expect the ICO to scrutinise the following sections of the Bar Standards Board (BSB) Handbook:
- CD 6 (confidentiality)
- CD 10 (managing the practice competently and in compliance with legal and regulatory obligations)
- rC89.5 (proper arrangements for ensuring the confidentiality of clients’ affairs
- gC134.1 (putting in place and enforcing adequate procedures for protecting confidentiality)
- gC134.2 (complying with data protection obligations imposed by law)
- gC134.4 (to take account of other BSB guidance)
The ICO can also scrutinise the information security guidance issued by the General Bar Council in January 2021 and the information security questionnaire agreed by the Law Society and Bar Council.
There are good reasons for the security obligations imposed under UK GDPR and by professional service regulators. There are good security reasons to comply with them beyond mere compliance.
Leaders who ignore them are lagging behind and are putting their partners’ and colleagues’ business and financial interests at risk, because a serious cyber breach can have devastating consequences.