A key principle of the UK GDPR is that we have appropriate technical and organisational measures in place. The article below, which was recently published in the compliance news section of the Privacy and Data Protection Journal, serves as a useful reminder of what can go wrong if we don’t:
UK law firm fined £98k
The Information Commissioner’s Office has fined a UK law firm £98,000 following a data breach caused by ransomware. Hackers gained access to the IT systems of criminal defence firm Tuckers Solicitors LLP and compromised more than 24,700 court bundles containing special category data such as medical files and witness statements. The ICO’s investigation found that Tuckers had breached Article 5(1)(f) GDPR because of data security contraventions and inadequate technical and organisational measures to protect such data. In particular, the regulator noted the lack of multi-factor authentication for remote access to the Tuckers systems, the slow pace at which software vulnerabilities were patched and a failure to encrypt personal data.
Our ICT team works hard to ensure our systems are safe, including enforcing two factor authentication when accessing MVDC systems from any non-MVDC portable device. All staff have a part to play and are reminded to apply the Security Awareness Training to recognise bad emails in order to prevent hackers accessing MVDC systems.