The ICO’s First Ransomware Monetary Penalty Notice: Key Takeaways

March.15.2022

On March 10 2022, the UK Information Commissioner’s Office (ICO) handed down its first Monetary Penalty Notice in respect of a ransomware attack and data exfiltration incident under the UK General Data Protection Regulation (GDPR) against the criminal defense firm Tuckers who suffered from a ransomware attack in August 2020. This ICO enforcement action highlights that ransomware attacks can lead to fines against the victim of such an attack and provides valuable guidance on what IT security measures companies should consider.

Key Takeaways

Ransomware attacks often do not only lead to significant costs for the investigation and remediation but are now also facing risks of enforcement actions under the GDPR.
Multi-Factor Authentication needs to be implemented and used generally, i.e., not only for internal access but also for remote access.
Insufficient patch management is a security risk which may trigger fines.
Paperwork is not sufficient; policies on GDPR and IT security are good, but if not effectively implemented on a day-to-day basis, do not protect against fines.
The response of a company to a security incident, i.e., how the company reacts and what measures it applies to remedy a breach, can be mitigating factors to reduce potential fines.

Background and ICO Findings

The Monetary Penalty Notice is timely, given the ICO’s recent release of is “Guide on Ransomware and Protection Compliance”. According to the Verizon Data Breach Investigations Report 2021, the number of ransomware incidents has doubled over the past year alone. Since 2019, threat actors have engaged in a secondary method of cyber extortion where they threaten to publish data taken by them from a victim’s system. This tactic is commonly used in incidents across the globe.

During the Tuckers incident, threat actors gained access to and encrypted over 900,000 digital files with a substantial number being related to court bundles. The dataset exfiltrated by the attacker and published on the dark web contained over 60 court bundles for historic and live cases.

The ICO found that Tuckers failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures pursuant to Article 5(1)(f) GDPR. The ICO also raised concerns with compliance with Articles 5(1)(e) (data minimisation), 25 (data protection by design), 32(1)(a) and 32(1)(b) GDPR (technical and organisational measures).

In its decision, the ICO frequently referred to Tucker’s Data Protection Policy and the lack of compliance with measures set forth therein. This is a key demonstration that the existence of a document is not enough to achieve compliance with the GDPR. Further criticism focussed on:

Lack of Multi-Factor Authentication (MFA) – Tucker’s Data Protection Policy required two-factor authentication where available; however, it did not use MFA for remote access. The ICO acknowledged that the remote environment was the epicentre of the incident. The ICO considered that MFA was “a comparably low-cost preventative measure which Tuckers should have implemented [47]”. The ICO further stated that “the lack of MFA accordingly created a substantial risk of personal data on Tuckers’ systems being exposed to consequences such as this attack [48]”

Patch Management – Tuckers’ own internal investigation found that the attackers may have used a known vulnerability to access the network. A patch was released in in January 2020 however it was installed more than four months later in June 2020. At the time, the vulnerability was scored 9.8 or “critical” under the Common Vulnerability Scoring System. National guidance recommends that critical vulnerabilities should be patched in 14 days. The ICO found that “Tuckers should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk”.

Encryption –The data held on the archive server was not encrypted. Whilst the ICO considered that the encryption of personal data may not have thwarted the attack, it may have mitigated some of the risk associated with the subsequent data exfiltration. The ICO reminds organisations that encryption of personal data upholds the principle of confidentiality even when exfiltrated. Tuckers’ Data Protection Policy stated that client data required the highest level of protection due to its sensitivity. The ICO considered that the GDPR provides express commentary that encryption of personal data is an appropriate security measure and in the context of this incident Tuckers should not have been “storing archived bundles in unencrypted, plain text format” [67].

In relation to exfiltrated data being published on the dark web, the ICO found that the release of personal data was likely to increase distress to individuals. Such commentary is in line with the European Data Protection Board’s guidelines on data subject notification insofar as the exfiltration of data released earlier this year.

The penalty was initially levied in line with 3.25 percent of Tuckers’ annual turnover. Whilst the ICO did not consider that any factors should increase the fine (such as Tuckers’ failure to comply with the Solicitors’ Regulation Authority code of conduct), however, application of significant factors were applied to reduce the amount of the fine to £98,000. Tuckers’ made representations on remedial measures employed, their own financial position and representations made in relation to managing IT staff illness.

The ICO’s decision serves as a timely reminder in the United Kingdom and Europe that having GDPR policies that comply with the GDPR may not equate to GDPR compliance if the policies are improperly implemented and enforced. Organisations must ensure that plans outlining stringent technical and security measures are adhered to or be subject to the magnifying glass of the regulator in the wake of an incident.

Authors

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.