Cyber and data security – 5 legal obligations you should not ignore
The ICO’s recent finding of negligent security practices and resulting £98,000 fine of Tuckers Solicitors should alert all businesses to the consequences of failing to comply with their legal obligations for the security of personal data. Read this article to understand your cyber and data security obligations.
Here is a reminder of some basic legal obligations.
1. Do a risk assessment
The business must undertake a cybersecurity risk assessment – that is, an assessment/analysis of the security risks involved in the holding and use of any personal data. It must cover many elements – the security of your technology, the way it is accessed, where data is held and how it moves around the business, the nature and sensitivity of the data concerned, the people using it, the third parties who you allow to access/process it, the security policies in place (or not), and much more.
Doing this will of course include technical assessments. But it also needs to identify all vulnerabilities, not just technical ones and give you visibility of your risks. And because of point 5 below, your risk assessment should be documented. It is an independent specialist job – and different to IT support.
In respect of the technical side, the ICO says: “This is a complex technical area that is constantly evolving, with new threats and vulnerabilities emerging.” Which is why, to understand where the risks are, the risk assessment needs to be undertaken by someone with genuine cyber risk management experience, who is up to speed on the current methods of attack and knows how to defend against them.
2. Put security measures in place
After you have done this (and only after you have done this), you must put in place appropriate technical and organisational measures properly to protect the personal data and the security of its use and the systems themselves. Unless you have first taken step 1, you cannot judge what are the appropriate measures to put in place to control the risks identified. The ICO are clear on that point.
The measures must include 3 key areas.
Technology
Here technology is being used in reference to controlling the technical risks and vulnerabilities identified. Examples include encryption of data, multi factor authentication, access controls, configuration of your email systems, configuration of firewalls, configuration of backups, security of individual devices (including BYOD), remote access arrangements to networks and cloud platforms, ensuring the right alerts are switched on, software is up to date, and a whole raft of other things.
It should be noted that the ICO describes Cyber Essentials (and therefore CE Plus which is just an audited version of CE) as a “base” set of controls, and in the Tuckers case, stated that given the nature of the personal data involved, the security should have “surpassed” those basic requirements. This should be a warning for all professional service firms handling confidential data who mistakenly believe that CE certification provides adequate protection.
People
This includes training staff, and building what the ICO calls “a culture of security awareness within your organisation”. And because of point 3 below, you must test/assess the effectiveness of your training. One way of doing this is to undertake simulated phishing attacks.
Governance
Your risk assessment will help to determine exactly what policies you must have, together with the procedures for staff and others to follow, and the systems/arrangements you need to have in place to check your organisational controls/measures are and continue to be, effective (which includes regularly assessing risks). Some of this will be for all staff. Some will be for individuals within the organisation with responsibility for security. This can include all sorts of things from password management to incident response arrangements.
3. Test and evaluate
You must have a process for regularly testing, assessing and evaluating the effectiveness of the measures you put in place. Which is why compliance with the law is not a one-off test. In this context, the ICO refers to vulnerability scanning as a way to “stress test” technology. Your processes for assurance should be independent of your IT support team.
4. Reporting obligations
UK GDPR creates a robust reporting and enforcement regime. This requires, depending on the precise circumstances, for incident reporting to the ICO and also to clients/customers whose data may have been compromised. The ICO can impose very significant fines (and publish the details) on businesses which have failed to comply with obligations (and fines are not recoverable under insurance policies). In deciding the fine, they will look to see what technical and organisational security measures the business had actually put in place. In the Tuckers case, the ICO said that the starting point for their negligent security breach was 3.25% of annual turnover. Bear in mind that in addition to this, individuals affected by a breach are entitled to compensation.
Of course, the greatest cost and damage following a breach is usually in disruption (the average down time in Q1 of 2022 was 26 days but is frequently more); ransom payments (the average ransom payment in 2021 was £628,000 but is frequently more); and the destruction of reputation and client relationships.
5. Document everything
All businesses must be able demonstrate compliance with all of the above legal obligations, which is why they must have a way of documenting what they have done.
Professional regulatory requirements
All regulators of professional service businesses expect compliance with the law, as well as adherence to separate regulatory responsibilities including the duty to report breaches. Those obligations are not limited to personal data.
In Tuckers, the ICO highlighted certain provisions of the Solicitors Regulation Authority’s Code of Conduct including paragraph 2.1a (the need for effective governance structures, arrangements, systems and controls for compliance with regulation and law); para 2.5 (identify, monitor and manage all material risks to your business); para 3.1 (keep up to date with and follow law and regulation); para 5.2 (safeguard money and assets [including documents] entrusted to you by clients and others); as well as referring to other relevant guidance issued by the SRA. The failure to meet those standards of the Code was regarded as an aggravating factor.
This has implications for other regulated professions. In the context of a breach relating to ICAS members, one can expect the ICO to scrutinise (for example) ICAS Code of Ethics, including 110.1 A1 Fundamental Principle (c) (Professional Competence and Due Care) and related R113 (competent professional service based on current standards and relevant legislation, and maintaining awareness of technology developments); Fundamental Principle (d) (Confidentiality) and related R114 (to take all reasonable steps to preserve confidentiality, and being alert to the possibility of disclosure); Fundamental Principle (e) (Professional Behaviour to comply with relevant laws and regulations and in accordance with professional responsibility) and related R115; ICAS Investigation Regulations 3.1 (duty to report); industry standards of good practice, and all other guidance issued from time to time, including that issued by ICAS, the ICO and NCSC.
There are good reasons for the security obligations imposed under UK GDPR and by professional service regulators. And there are good security reasons to comply with them beyond mere compliance. Leaders who ignore them are lagging behind and are putting their partners’ and colleagues’ business and financial interests at risk. Because a serious cyber breach can have devastating consequences.
ICAS have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for Evolve members. For more information visit the Mitigo website, or you can contact them on 0131 564 3131 or via email.
This blog is one of a series of articles from our commercial partners. The views expressed are those of the author and not necessarily those of ICAS.