Recent action by the Information Commissioner’s Office (ICO) makes clear that protecting the public from ransomware attacks is a key priority. This demonstrates a pragmatic approach by the ICO, as the National Security Centre considers ransomware the biggest cyber threat facing the UK. The ICO recently issued its first ransomware related fine, to Tuckers Solicitors LLP (Tuckers) for failing to adequately mitigate the risk of a ransomware attack, and days later published guidance for data protection compliance in relation to ransomware attacks (the Guidance).
On 24 August 2020 Tuckers, a criminal defence law firm, became aware of a ransomware attack on its systems, which resulted in the encryption of 972,191 individual files, of which 24,711 were court bundles related to Tuckers’ clients. 60 court bundles were exfiltrated by the attacker and published on the dark web.
On 10 March 2022, the ICO fined Tuckers £98,000 for breach of Article 5(1) GDPR, which requires that personal data is processed lawfully, fairly and in a transparent manner. This was the first time the ICO has issued a fine relating to a ransomware attack.
In its penalty notice, the ICO outlined specific deficiencies, including the failure to put in place sufficient controls around accessing personal data, and the failure to appropriately manage ‘vulnerability patches’ within the organisation. This included Tuckers’ failure to use multi-factor authentication (MFA) or effective encryption management for archived court bundles (which were stored in an unencrypted format, despite encryption being the norm in the legal services sector). The penalty notice refers to the fact the ICO provides free assessment tool kits for data controllers (such as Tuckers) to use to ensure they were compliant with GDPR. However, Tuckers had failed to follow available guidance.
ICO Ransomware Guidance
Just days after the Tuckers fine, the ICO published the new Guidance, which takes the form of a checklist for organisations to follow to ensure that they have sufficient security protections in place against ransomware attacks. The Guidance focuses on two key requirements: (i) technical controls to minimise the risk of an attack (eg use of MFA, appropriate classification of data, and testing of systems); and (ii) policies and procedures to prevent and/or react to such attacks (ensure suitable policies are in place, as well as incident response plans, disaster recovery and business continuity plans, and adequate staff training).
The Guidance sets out the most common ransomware compliance issues, which the ICO uses to illustrate the appropriate measures which should be taken. Key points are that:
- Ransomware attacks affect organisation of all sizes, and proportionate steps should be taken. The ICO will assess the suitability of an organisation’s security protections against common industry practice and guidance notes, including ISO standards for information security.
- The responsibility for determining whether a personal data breach has occurred as part of a ransomware attack lies with the organisation. Notably, the Guidance states that losing access to personal data (not just losing the data itself) will be considered a personal data breach.
- Organisations must ensure they comply with notification requirements if a breach has taken place (eg – notification to the ICO must be without undue delay, and no later than 72 hours after becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals).
- As expected, the Guidance strongly advises against paying ransoms, as there is no guarantee that the data will be returned, and doing so may result in further attacks if the organisation is known as a paying party.
The penalty notice states that Tuckers failed to follow available guidance, and measures which are now included in the new Guidance (such as failure to use MFA or decryption keys). The penalty notice illustrates how the ICO is likely to have reference to the new Guidance, and other available guidance, when determining whether firms have acted reasonably in meeting their obligations as data controllers.
The Tuckers fine also suggests that the ICO will take a harsher stance against organisations with greater risk exposure to personal data breaches. The penalty notice referred to the volume and nature of personal data held by Tuckers. Organisations should consider their own vulnerabilities in light of industry standards and good practice suggested by the Guidance.
In addition to highlighting the importance of organisations following the Guidance in the future, more generally, the penalty notice underlines that organisations should ensure they co-operate with the ICO in the event of a personal data breach. The penalty notice acknowledged Tuckers’ co-operation with the ICO and the steps Tuckers took to contact individuals affected by the breach in determining the size of the fine.