Cyber and data security – five legal obligations not to ignore

The ICO’s recent finding of negligent security practices and resulting £98,000 fine of a law firm south of the border, Tuckers Solicitors, should alert all businesses, but especially law firms, to the need to comply with their legal obligations imposed by UK GDPR for the security of all personal data they hold and process.

Lindsay Hill, solicitor and CEO at Mitigo Group, provides a short reminder of some basic legal obligations.

1. Assess the risk

The business must undertake a cybersecurity risk assessment – that is, an assessment/analysis of the security risks involved in the holding and use of any personal data. It must cover many elements – the security of your technology, the way it is accessed, where data is held and how it moves around the business, the nature and sensitivity of the data concerned, the people using it, the third parties who you allow to access/process it, the security policies in place (or not), and much more.

Doing this will of course include technical assessments. But it also needs to identify all vulnerabilities, not just technical ones and give you visibility of your risks. And because of point 5 below, your risk assessment should be documented. It is an independent specialist job – and different to IT support. In respect of the technical side, the ICO says “This is a complex technical area that is constantly evolving, with new threats and vulnerabilities emerging.” Which is why, to understand where the risks are, the risk assessment needs to be undertaken by someone with genuine cyber risk management experience, who is up to speed on the current methods of attack and knows how to defend against them.

2. Put protections in place

After you have done this (and ONLY after you have done this), you must put in place appropriate technical and organisational measures properly to protect the personal data and the security of its users and the systems themselves. Unless you have first taken step 1, you cannot judge what are the appropriate measures to put in place to control the risks identified. The ICO are clear on that point.

The measures must include three key areas.

Technology, ie controlling the technical risks and vulnerabilities identified. Examples include encryption of data, multi factor authentication, access controls, configuration of your email systems, configuration of firewalls, configuration of backups, security of individual devices (including BYOD), remote access arrangements to networks and cloud platforms, ensuring the right alerts are switched on, the software is up to date, and a whole raft of other things.

It should be noted that the ICO describes Cyber Essentials (and therefore CE Plus which is just an audited version of CE) as a “base” set of controls, and in the Tuckers case, stated that given the nature of the personal data involved, the security should have “surpassed” those basic requirements. This should be a warning for all professional service firms handling confidential data who mistakenly believe that CE certification provides adequate protection.

People. This includes training staff and building what the ICO calls “a culture of security awareness within your organisation”. And because of point 3 below, you must test/assess the effectiveness of your training. One way of doing this is to undertake simulated phishing attacks.

Governance – your risk assessment will help to determine exactly what policies you must have, together with the procedures for staff and others to follow, and the systems/arrangements you need to have in place to check your organisational controls/measures are and continue to be, effective (which includes regularly assessing risks). Some of this will be for all staff. Some will be for individuals within the organisation with responsibility for security. This can include all sorts of things from password management to incident response arrangements.

3. Regular testing

You must have a process for regularly testing, assessing, and evaluating the effectiveness of the measures you put in place. Which is why compliance with the law is not a one off test. In this context, the ICO refers to vulnerability scanning as a way to “stress test” technology. Your processes for assurance should be independent of your IT support team.

4. GDPR

UK GDPR creates a robust reporting and enforcement regime. This requires, depending on the precise circumstances, incident reporting to the ICO and also to clients/customers whose data may have been compromised. The ICO can impose very significant fines (and publish the details) on businesses which have failed to comply with obligations (and fines are not recoverable under insurance policies). In deciding the fine, they will look to see what technical and organisational security measures the business had actually put in place. In the Tuckers case, the ICO said that the starting point for their negligent security breach was 3.25% of annual turnover. Bear in mind that in addition to this, individuals affected by a breach are entitled to compensation.

Of course, the greatest cost and damage following a breach is usually in disruption (the average down time in Q1 of 2022 was 26 days but is frequently more); ransom payments (the average ransom payment in 2021 was £628,000 but is frequently more); and the destruction of reputation and client relationships.

5. Demonstrating compliance

All businesses must be able to demonstrate compliance with all of the above legal obligations, which is why they must have a way of documenting what they have done.

Professional regulatory requirements

All regulators of professional service businesses expect compliance with the law, as well as adherence to separate regulatory responsibilities including the duty to report breaches. Those obligations are not limited to personal data.

In Tuckers, the ICO highlighted certain provisions of the Solicitors Regulation Authority’s Code of Conduct including paragraph 2.1a (the need for effective governance structures, arrangements, systems and controls for compliance with regulation and law); para 2.5 (identify, monitor and manage all material risks to your business); para 3.1 (keep up to date with and follow law and regulation); para 5.2 (safeguard money and assets [including documents] entrusted to you by clients and others); as well as referring to other relevant guidance issued by the SRA. The failure to meet those standards of the Code was regarded as an aggravating factor.

This has implications for all other regulated professions. In the context of a breach relating to Law Society of Scotland members, one can expect the ICO to scrutinise (for example) the Rules & Regulations Section B Fundamental Principles Rule B1.6 Confidentiality (requirement to maintain confidentiality and appropriate supervision of employees); Guidance B1.6 (obligation to supervise extends to all outsourced providers); Advice B1.6 Notification to ICO under the Data Protection Act (reference to good practice information issued by ICO); Rule B6 Accounts, Accounts Certificates, Professional Practice (safeguarding client monies, duty to rectify breaches, cashroom management); Guidance B6 (cashroom supervision of staff and systems, partner responsibility for compliance); Section E General Guidance (business process outsourcing, cloud computing, security of social media, compliance with data protection legislation & regulatory obligations when outsourcing); the Law Society’s Cybersecurity Guide; industry standards of good practice, and all other guidance issued from time to time, including that issued by the Law Society of Scotland, the ICO and NCSC.

There are good reasons for the security obligations imposed under UK GDPR and by professional service regulators. And there are good security reasons to comply with them beyond mere compliance. Leaders who ignore them are lagging behind and are putting their partners’ and colleagues’ business and financial interests at risk. Because a serious cyber breach can have devastating consequences.

For more information on the points highlighted in the blog contact Mitigo on 0131 564 1884 or email lawscot@mitigogroup.com