There has been an increase in the Information Commissioners Office (ICO) activity in recent weeks which makes law firms and their clients sit up and take notice.
ICO fines company £4.4m after cyber-attack and issues a stark warning:
“Biggest cyber risk is complacency, not hackers.”
On 24th October the ICO fined Interserve Group £4.4m for failing to put in place appropriate technical and organisational measure to guard against a ransomware attack. An employee clicked on a phishing email which subsequentially downloaded malware onto their machine and spread to several unpatched servers. The malware uninstalled antivirus and encrypted systems. The hackers then stole personal data, including special categories of data, of 113,000 individuals.
In a stern press release John Edwards, UK Information Commissioner, said:
“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
Cyber-attacks don’t just cause disruption and inconvenience, hackers don’t care what data they get their hands on just as long as they get their hands on it and it will damage you if they release it, think how sick you’d feel if some nasty hacker had their mitts on your client’s entire confidential files and threatening to release it unless you pay up?
Most cyber-attacks are caused by someone clicking on a phishing email, help your staff spot, detect and report phishing emails.
ICO issues reprimands for DSAR failings
Reprimands are a formal expression of the ICO’s disapproval, issued to organisations that have broken data protection law.
In October, the ICO issued reprimands to seven organisations for failing to respond to information access requests from members of the public, otherwise known as Data Subject Access Requests (DSAR’s). Your firm has between one and 3 months to respond depending on the complexity. Here’s who found themselves in hot water:
- The MOD – currently has a backlog of 9,000 DSARs dating back to March 2020
- The Home Office – hasn’t responded to 21,000 DSARs within the statutory timeframe
- The London Borough of Croydon – which responded to less than half of its DSARs within statutory timeframes, between April 2020 and April 2021
- Kent Police – which responded to 60% of DSARs on time between October 2020 and February 2021
- The London Borough of Hackney – from April 2020 to February 2021, LondonBorough of Hackney did not respond to over 60% of the DSARs submitted to them in the statutory timeframe. The oldest DSAR was over 23 months
- The London Borough of Lambeth – with an ongoing backlog, they only responded to 74% of the DSARs they received within the statutory timescales from 1 August 2020 to 11 August 2021
- Virgin Media – Over a six month period in 2021, Virgin Media received over 9500 DSARs. 14% of these were not responded to during the statutory timeframe
DSAR’s are fundamental mainstay of data protection and an important part of your privacy framework, being client facing it is important your firm has policies and procedures in place to manage DSARs and staff are trained on what to do in the event of receiving a request.
Surge in marketing fines dished out by the ICO…
The Privacy and Electronic Communications Regulations (PECR) is often misunderstood, it’s a fine hotspot. In October the ICO have been issued a number of fines.
In 2020 the government launched the Green Homes Grant voucher scheme, whereby homeowners or residential landlord could use the vouchers of up to £5,000 towards the cost of installing energy efficient improvements to their home. The scheme prompted loft, window and wall insulation companies to cold call individuals with offers to help them. The ICO was inundated with complaints from TPS subscribers, many complainants were from the vulnerable, elderly and/or those with severe health difficulties. Following their investigations, the ICO issued the following fines and sanctions against four companies:
- After 33 complaints Posh Windows UK Limited were fined £150,000 for making 461,062 unsolicited marketing calls between 1 August 2020 and 30 April 2021.
- Green Logic UK Ltd were fined £40,000 for making 11,825 calls between 1 January 2020 and 31 December 2020, after receiving 32 complaints the ICO launched an investigation. They were also hit with an enforcement notice.
- Making 178,190 unsolicited marketing landed Eco Spray Insulations Limited with a£100,000 fine and they had the prestige of being in the ICO’s top 20 most complained about companies.
- Euroseal Windows Limited were fined £80,000 for making at least 169,830 calls registered on the TPS, the ICO received five complaints.
And so the fines go on….
On 19th October Apex Assure Limited were fined £230,000 for making 122 cold calls to members of the public registered with the TPS between1 February – 31 July 2021. The company was also hit with an enforcement notice.
On 5th October Easylife Limited were fined £130,000 for making 1,345,732 unsolicited direct marketing resulting between August 2019 – August 2020 resulting in 25 complaints to the ICO. The company was also hit with an enforcement notice.
The true cost of a cyber attack
Back in 2020 Hackney Council suffered a devastating cyber-attack it was reported that it cost £12million in a single financial year to recover data, replace systems and clear the backlog of work.
Government issues warnings on supply chains
In recent times there has been significant increase in supply chain attacks. Firms may have the best security however hackers realise suppliers may not and therefore find a back doorway into your systems.
The National Cyber Security Centre (NCSC) has issued new guidance on supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.
Ian McCormack, NCSC deputy director for Government Cyber Resilience, explained:
“Supply chain attacks are a major cyber threat facing organizations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organizations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.”