Case Study: Legal Companies £98,000 ICO Fine due to lack of IT Security Compliance

In March 2022, Tuckers Solicitors, a well-regarded UK criminal defence law firm, was fined £98,000 by the Information Commissioner’s Office (ICO) following a ransomware attack that exposed sensitive client data. This incident highlighted key areas for improvement in IT security protocols and serves as an important reminder to law firms about the necessity of strong cyber security measures, particularly in relation to patch management and multi-factor authentication (MFA).

Background

In 2020, Tuckers Solicitors experienced a ransomware attack that resulted in 60 court bundles, containing highly sensitive medical and witness statements, being published on the dark web. While the attack itself was a criminal act, the ICO investigation found that certain security gaps contributed to the extent of the breach. Specifically, a delay in patching a critical vulnerability and the absence of MFA were identified as areas where security measures could have been stronger in line with General Data Protection Regulation (GDPR) compliance.

Delayed Patch Implementation

In January 2020, the UK’s National Cyber Security Centre (NCSC) warned about a security flaw in Citrix’s Application Delivery Controller (ADC) and Citrix Gateway. This flaw could allow hackers to take control of affected systems without needing a password. Organisations were urged to update their systems immediately, and Citrix released a fix on January 19, 2020.

However, the update was not applied until June 2020, around five months later. The Information Commissioner’s Office (ICO) saw this delay as a compliance issue, highlighting the importance of fixing security risks quickly—especially for organisations handling sensitive information. While it’s unclear if this specific vulnerability led to a data breach, staying up to date with security updates is a key part of keeping personal data safe and following industry best practices like ISO 27002 and NCSC Cyber Essentials.

Multi-Factor Authentication (MFA) Negligence

In addition to patching delays, the absence of multi-factor authentication (MFA) for remote access was identified as a security gap. The ICO noted that implementing MFA could have reduced the risk of unauthorised access to the firm’s network. Given that cyber attackers often exploit single-factor authentication methods, enforcing MFA is widely recommended as a crucial security measure. The ICO concluded that by not implementing MFA, Tuckers increased the likelihood of unauthorised access, which is an important consideration under GDPR’s requirement for maintaining adequate security.

Encryption and Other Security Failures

The ICO also identified opportunities for strengthening data security, particularly regarding encryption. Personal data stored on the firm’s archive server was not encrypted, which posed a potential risk given the sensitive nature of the information. While encryption might not have prevented the ransomware attack, it could have helped mitigate risks associated with data exposure. The ICO reaffirmed that encryption is a valuable tool in protecting personal data, aligning with best practices outlined by both the ICO’s Security Outcomes and the Solicitors Regulation Authority (SRA).

Failure to Meet Cyber Security Standards

In October 2019, the firm did not pass a Cyber Essentials assessment. Given the sensitive nature of the data it handled, the ICO expected the firm to meet or exceed the required standards. The Commissioner expressed concern that, even 10 months later, the necessary improvements had not been fully implemented, highlighting the importance of addressing security gaps in a timely manner.

Lessons for Law Firms

This case underscores the importance of proactive IT security measures, particularly for legal practices handling sensitive client information. Here are some key steps law firms can take to enhance their cyber security:

1. Timely Patch Management: Implement security patches as soon as they are released, especially for critical vulnerabilities. If in-house resources are limited, partnering with a managed service provider such as Cobweb can help ensure prompt patching and ongoing cyber security support.
2. Implement Multi-Factor Authentication (MFA): MFA is a simple yet effective way to add an extra layer of security. Law firms should enforce MFA for all remote access to systems reduce the risk of unauthorised access.
3. Encryption of Sensitive Data: Data encryption should be a standard security measure for law firms, especially when dealing with personal data. While it might not prevent all types of attacks, it adds an additional layer of protection against data theft or unauthorised processing.
4. Meet Cyber Essentials Standards: Meeting and exceeding the Cyber Essentials standards can help law firms maintain a robust security framework. Regular security audits further support best practices.
5. Adhere to Data Retention Guidelines: Ensure that personal data is stored only for as long as necessary to avoid compliance risks.

Conclusion

The ICO’s findings highlight the importance of maintaining strong cyber security practices within the legal sector. As the legal industry continues to digitise, firms must prioritise their IT security to avoid costly penalties, protect their clients, and maintain trust in an increasingly complex regulatory environment.

If your law firm would like to explore cyber security solutions, our team is here to assist in strengthening your IT environment.