ICO (UK) - Tuckers Solicitors LLP
ICO (UK) - Tuckers Solicitors LLP | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 25.08.2020 |
Decided: | 28.02.2022 |
Published: | 10.03.2022 |
Fine: | 98,000 GBP |
Parties: | Tuckers Solicitor LLP |
National Case Number/Name: | Tuckers Solicitors LLP |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | gauravpathak |
The UK DPA fined law firm €116,784.27 (GBP 98,000) for contravening Article 5(1)(f) and Article 32 GDPR by "failing to process personal data in a manner that ensured appropriate security of the personal data.”
English Summary
Facts
Tuckers Solicitors (Tuckers) is a limited liability partnership of solicitors and is the data controller. On 24 August 2020, Tuckers became aware that its systems were hit by a ransomware attack. On 25 August 2020, Tuckers determined that the hit had resulted in a personal data breach. It notified the same to the UK DPA (ICO) on the same day and stated, “attack had resulted in the encryption of civil and criminal legal case bundles stored on an archive server. Backups were also encrypted by the attacker”. In total, “972,191 individual files were encrypted. Of these, 24,711 related to court bundles. Of the 24,711 court bundles, 60 were exfiltrated by the attacker” and published on the dark web. As per Tuckers, “the bundles included a comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals.”
Tuckers notified 53 parties (out of the 60) whose bundles were released, as per Article 34 GDPR.
On 27 August 2020, Tuckers appointed a third-party investigator to provide a 'Cyber Security Incident Response Report'. The investigators could not find the source of the attack but found “evidence of a known system vulnerability” that could have been used to access Tucker’s networks and exploit them. Subsequently, the investigators released a patch, which Tucker incorporated in its systems in June 2020.
In September 2020, Tuckers informed the ICO that it had “moved its servers to a new environment and the business was now back to running as normal, albeit without the restoration of the data that had been compromised by the attacker.”
Holding
The ICO held that “primary culpability for this incident rests with the attacker”. However, Tuckers violated Article 5(1)(f) GDPR as its “technical and organisational measures areas were, over the relevant period, inadequate”. The same was based on the reading of Article 32 GDPR which mandates “a controller when implementing appropriate security measures to consider "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons". The failure to comply with the same was evident from the following:
Although Tucker’s GDPR and Data Protection Policy required two-factor authentication where available, it was not using the same for remote access. The ICO held that multi-factor authentication was a low-cost measure that “could have substantially supported Tuckers in preventing access to its network”. Accordingly, Tuckers failed to meet the requirements of Article 32(1)(b) GDPR.
Tuckers installed the patch after months of its release, during which the attacker could have exploited the vulnerability.
Considering the “highly sensitive nature of the personal data”, Tuckers “should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk”.
Tuckers did not encrypt the personal data, and accordingly “did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by Article 5(1)(f) GDPR”. Although the encryption would not have prevented the ransomware attack, it could have mitigated the damage.
For determining the penalty amount, the ICO took note of the fact that “personal data included within the bundles included special category data, and related to individuals that were particularly vulnerable, including children and individuals involved in significant crimes”. As per the ICO, “this type of personal data required particularly high levels of security to be applied to it”; and its breach made the infringement more severe. It also determined that Tuckers’ security practices were negligent. The fact that Tuckers informed the data subjects as per Article 34 GDPR and commissioned a third-party investigator was also considered by the ICO.
Tuckers' failure to follow the mandated security standards was considered to be an aggravating factor. Its subsequent actions of taking remedial steps including changes in the way it handles personal data were considered as mitigating factors.
The ICO used the Five-Step Process mandated in the Regulatory Action Policy (RAP) and fined Tuckers a total of €116,784.27 (GBP 98,000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 2018 (PART 6, SECTION 155) SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE TO: Tuckers Solicitors LLP OF: 39 Warren Street, London, Wl T 6AF 1. Tuckers Solicitors LLP ("Tuckersis a limited liability partnerwhich is authorised and regulated by the Solicitors Regulation Authority (No. 592449) and registered in England and Wales (Companies House No. OC382272). 2. The Information Commissioner ("the Commissioner") has decided to issue Tuckers with a Penalty Notice under section 155 of the Data Protection Act 2018 ("the DPA"). This penalty notice imposes an administratfine on Tuckers, in accordance with the Commissioner'spowers under Article 83 of the General Data Protection Regulation 2016 ("the GDPR")1. The amount of the monetary penalty is £98,000. 3. The monetary penalty has been issued because of a contraventionby Tuckers of Articles 5(l)(of the GDPR. The Commissioner finds that, during the period of 25 May 2018 to 25 August 2020 ("the relevant period"), Tuckers failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, The applicable legislation at the time of the Incident was the (EU) GDPR.The Commissioner was at the material time the supervisory authority in respect of the (EU)GDPR. 1, • ICO. Information Commissioner's Office destruction or damage, using appropriate technical or organisational measures. 4. Tuckers became aware on 24 August 2020 of a ransomware attack on its systems, and on 25 August 2020 determined that the attack had resulted in a personal data breach. The Commissioner considers that Tuckers' failure to implement appropriate technical and organisation measures over some or all of the relevant period rendered it vulnerable to the attack. The attack resulted in the encryption by the malicious and criminal actor (the "attacker")of 972,191 individual files, of which 24,712 related to court bundles; of the encrypted bundles, 60 were exfiltrated by the attacker and released in underground data marketplaces. The compromised files included both personal data and special category data. 5. In addition, whilst not forming the basis of the substantive contravention, the Commissioner is also concerned by Tuckers compliance over the relevant period with Articles 5( 1)(e), 25, 32( l)(a) and 3GDPR.(b) 6. In the interests of clarity, 25 May 2018 is the date when GDPR came into effect, and 25 August 2020 is the date on which Tuckers reported the breach to the Commissioner and shut down the relevant system, preventing any further possible authorised access. 7. This Monetary Penalty Notice explainshe Commissioner's decision, including the Commissioner's reasons for issuing the monetary penalty and for the amount of the penalty. Legal framework for this Monetary Penalty Notice Obligations of the controller 2, • Information Commissioner's Office 8. Tuckers is a controller for the purposes of the GDPR and the DPA, because it determines the purposes and means of the processing of personal data held on its computer systems (GDPR Article 4(7)). 9. 'Personal data' is defined by Article 4(1) of the GDPR to mean: information relating to an identified or identifiable natural person ('data subject')an identifiable natural person is one who can be identified,directly or indirectly, in particular by reference to an identifier such as a name, an identificationumber, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 10. 'Processing' is defined by Article 4(2) of the GDPR to mean: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuringstorage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 11. Controllers are subject to various obligations in relation to the processing of personal data, as set out in the GDPR and the DPA. They are obliged by Article 5(2) to adhere to the data processing principles set out in Article5(1) of the GDPR. 12. In particular, controllers are required to implement appropriate technical and organisationalmeasures to ensure that their processing of personal data is secure, ando enable them to demonstrate that their processing 3, • IInformation Commissioner's Office is secure. Article S(l)(f("Integrity and Confidentiality") stipulates that: Personal data shall be [...] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 13. Article S(l)(e)("Storage Limitation") provides, in material part: Personal Data shall be [...] kept in a form which permits identificationof data subjects for no longer than is necessary for the purposes for which the personal data are processed [...] 14. Article 25 ("Data protection by design and by default") provides, in material part: 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determinationof the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed toimplement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet 4, • ICO. InformationCommissioner' ffice the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibilityIn particular, such measures shall ensure that by default personal data are not made accessible without the individual's interventto an indefinitenumber of natural persons 15. Article 32 ("Security of processing") provides, in material part: 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 5, • ICO. Information Commissioner's Office (c) [. ..] (d) [...] 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. [...] The Commissioner's powers of enforcement 16. The Commissioner is the supervisory authority for the UK, as provided for by Article 51 of the GDPR. 17. By Article 57(1) of the GDPR, it is the Commissioner's task to monitor and enforce the application of the GDPR. 18. By Article 58(2)(d) of the GDPR, the Commissioner has the power to notify controllers of alleged infringementof GDPR. By Article 58(2)(i) he has the power to impose an administrative fine, in accordance with Article 83, in addition to or instead of the other correctivemeasures referred to in Article 58(2),depending on the circumstances of each individual case. 19. By Article 83(1), the Commissioner is required to ensure that administrative fines issued in accordance with Article 83 are effective, 6, • ICO. Information Commissioner's Office proportionate,and dissuasive in each individual case. Article 83(2) goes on to provide that: When deciding whether to impose an administrativefine and deciding on the amount of the administrativfine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibiliof the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringementby the controller or processor; (f) the degree of cooperation with the supervisory authority,in order to remedy the infringemenand 7, • ICO. Information Commissioner's Office mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringementbecame known to the supervisory authorityin particular whether, and if so to what extent, the controller or processor notified the infringement; (i)where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j)adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigatinfactor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 20. The DPA contains enforcement provisions in Part 6 which are exercisable by the Commissioner. Section 155 of the DPA ("Penalty Notices") provides that: (1) If the Commissioner is satisfied that a person- 8, • ICO. Information Commissioner's Office (a) has failed or is failing as described in section 149(2) ..., the Commissioner may, by written notice (a "penalty notice"), require the person to pay to the Commissioner an amount in sterling specified in the notice. (2) Subject to subsection (4), when deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must have regard to the following, so far as relevant- (a) to the extent that the notice concerns a matter to which the GDPR applies, the matters listed in Article 83(1) and (2) of the GDPR. 21. The failures identified in section 149(2) DPA 2018 are, insofar as relevant here: (2) The first type of failure is where a controller or processor has failed,or is failing, to comply with any of the following- (a) a provision of Chapter II of the GDPR or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing); .., (c) a provision of Articles 25 to 39 of the GDPR or section 64 or 65 of this Act (obligations of controllers and processors)[...] 9, • ICO. Information Commissioner's Office 22. Schedule 16 includes provisions relevant to the impositionof penalties. Paragraph 2 makes provision for the issuing of notices of intent to impose a penalty, as follows: "(1) Before giving a person a penalty notice, the Commissioner must, by written notice (a "notice of intent") inform the person that the Commissioner intends to give a penalty notice." The Commissioner's Regulatory Action Policy 23. Pursuant to section 160(1) DPA, the Commissioner published his Regulatory Action Policy ("RAP") on 7 November 2018. 24. The process the Commissioner will follow in deciding the appropriate amount of penalty to be imposed is described in the RAP from page 27 onwards. In particular,the RAP sets out the following five-step process: a. Step 1. An 'initial elementremoving any financial gain from the breach. b. Step 2. Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2) - (4) DPA. c. Step 3. Adding in an element to reflect any aggravatingfactors. A list of aggravatinfactors which the Commissioner would take into account, where relevant, is provided at page 11 of the RAP. This list is intended to be indicatinot exhaustive. d. Step 4. Adding in an amount for deterrent effect to others. 10, • ICO. Information Commissioner's Office e. Step 5. Reducing the amount (save that in the initial element) to reflect any mitigatingfactors, including ability to pay (financial hardship). A list of mitigatinfactors which the Commissioner would take into account, where relevant, is provided at page 11- 12 of the RAP.This list is intended to be indicative, not exhaustive. Factual background to the incident 25. Tuckers' website describes it as the UK's leading criminal defence lawyers specialising in criminal law, civil liberties and regulatory proceedings. Established in 1983, the firm has numerous offices in Greater London, Greater Manchester, West Midlands, Kent, Sussex, Staffordshire and Somerset. 26. On 24 August 2020 Tuckers determined that it had been subjected to a ransomware attack; parts of its IT system became unavailable. Upon investigationits IT staff identified a ransomware note from the attacker stating that they had compromised Tuckers' system. 27. On 25 August 2020 it submitted a personal data breach notification to the Commissioner. It explained that the attack had resulted in the encryption of civil and criminal legal case bundles stored on an archive server. Backups were also encrypted by the attacker. The Commissioner notes that these actions by the attacker affected only the archive server; the vast majority of the personal data Tuckers was processing wasin fact held on other servers and systems that were not affected by the attack. 28. Tuckers stated that a significant number of personal data records were held on the archive server and provided the total number of encrypted files as a result the attack. 11, • ICO. Information Commissioner's Office 29. In total, 972,191 individual files were encrypted. Of these, 24,711 related to court bundles. Of the 24,711 court bundles, 60 were exfiltrated by the attacker and published on an underground market site (the "dark web"). 30. Tuckers stated that the bundles included a comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals. The 60 exfiltrated court bundles included 15 relating to criminal court proceedings and 45 civil proceedings. Of the 60 exfiltrated court bundles, the personal data was not related to just one living individual; it was likely to have included multiple individuals. 31. In respect of the criminal cases, Tuckers stated it included one ongoing criminal case at the Proceeds of Crime Act Stage, the criminal trial had concluded. All other criminal cases had been concluded. In respect of the civil cases, Tuckers explained that there was a mixture of archived and live cases. The Commissioner notes that some of the personal data compromised by the attack was likely to have featured in open court proceedings, but the unauthorised access to personal data resulting from this attack was very different in nature and scale. Tuckers further explained that to its understanding the personal data breach has not had any impact on the substance of its archived or live cases, i.e. on the conduct or outcome of the relevant proceedings. Overview of the attack 32. The attack resulted in the unavailability of personal data (via encryption) and a loss of confidentia(via access to, and exfiltration of, the personal data). 12, • ICO. Information Commissioner's Office 33. On 27 August 2020 Tuckers commissioned third-party investigators, , to provide a 'Cyber Security Incident Response Report'. Neither Tuckers nor was able to determine conclusively how the attacker was able to access Tuckers' network. However, it did find evidence of a known system vulnerability - that could have been used to either access the network, or further exploit areas of Tuckers once inside the network. 34. - released a patch for in January 2020. Tuckers has told the Commissioner that it applied the patch in June 2020, but it has accepted that the attacker could have exploited it during the five month unpatched period 3• 35. Once inside the network, the attacker installed various attacker tools which allowed the attacker to create its own user account, which it did. The attacker used this account to execute the attack and encrypt a significant volume of personal data contained in case bundles held on the archive server within the Tuckers network (see paragraph 29 above). As well as encrypting the personal data and the backups, the attacker also exfiltrated 60 court bundles and released them onto the dark web. 36. Tuckers notified all but seven of the parties detailed within the 60 court bundles which had been released 4; this was done in line with the 2 3'CVE' is a reference number used to identify known vulnerabilities. It is noted that Tuckers' &Data Protection Policy st"allsoftware, operating system and 4irmware shall be updated on a regular basis to reduce the risk presented by security vulnerabilities". These seven had been subject to a custodial sentence when Tuckers last had contact with them. Tuckers stated that they therefore did not have a postal address for these individuals at any stage; either because they did not have one before they were remanded to custody and/or they only had a relationship with them in custody, so did not record any address outside of prison. 13, • ICO. Information Commissioner's Office requirements of Article 34 GDPR.Italso made a public notification of the incident using its social media presence and its website. 37. Tuckers provided an update to the Commissioner on 7 September 2020 stating that it had moved its servers to a new environment and the business was now back to running as normal, albeit without the restoration of the data that had been compromised by the attackerIt stated that, whilst the compromised court bundles were effectively permanently lost, the material within the bundles was still available on its case management system which was unaffected by the attack. 38. The Commissioner has considered whether these facts constitute a contravention of the data protection legislation. The Contravention 39. For the reasons set out below, and having carefully considered Tuckers' representations,the Commissioner has concluded that Tuckers contravened Article S(l)(fGDPR. The Commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker. But for the attacker's criminal actions, regardless of the state of the security, the breach would not have occurred. However, the infringements identified by the Commissioner were relevant to the personal data breach because they gave the attacker a weakness (vulnerabilityto exploit and/or because they increased the risks to personal data once the attacker entered Tuckers' network. Particularly in light of the volume and nature of the personal data for which Tuckers were responsible, data security contraventionsthat created such risks were serious matters that justify enforcement action on the facts of this case. 14, • ICO. Information Commissioner's Office 40. In reaching those conclusions, the Commissioner has given consideration to Article 32 GDPR, which requires a controller when implementing appropriate security measures to consider "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons". 41. As part of his deliberations, the Commissioner has considered, in the context of "state of the art", relevant industry standards of good practice including the ISO27000 series, the National Institutes of Standards and Technology ("NIST"), the various guidance from the ICO itself, the National Cyber Security Centre ("NCSC"), the Solicitors Regulatory Authority ("SRA"), Lexcel and 'NCSC Cyber Essentials'. 42. The Commissioner has concluded that there are a number of areas in which Tuckers has failedto comply with, and to demonstrate that it complied with, Article S(l)(GDPR. Tuckers' technical and organisational measures areas were, over the relevant period, inadequate in the following particular respects: • Lack of Multi-Factor Authentication ("MFA") 43. Tuckers explained that it used a -environment to deploy remote desktops via the-web app and that its-environment was at the centre of the cyber-attackIts GDPR and Data Protection Policy required two-factor authenticationwhere available, however, it stated that it did not use Multi-Factor Authenticatio(MFA) for its - remote access solution. 44. With regards to "state of the art", the Commissioner notes that ISO27002 recommends "where strong authentication and identify verification is 15, • ICO. Information Commissioner's Office required, authenticatiomethods alternative to passwords, such as cryptographic means, smart cards, tokens or biometrics should be used". 45. NIST 800-63b requires that where "some assurance" is needed that the individual authenticatinis who they claim to be, authenticatimay be allowed via a single factor such as password. Where a high degree of certainty is required, controllers should implement either MFA or a combination of two single factor authenticatoWhere a very high degree of certainty is required, authenticatshould be based on proof of possession of a key through a cryptographic protocol including possession of two distinct authenticators. 46. The Commissioner understands that - published guidance in 2016 which stated that organisations should not use single factor authentication for- in production environments.The NCSC has recommended since 2018 to use MFA for services such as remote access. It says that MFA is particularly important for authenticatto services that hold sensitive or private data. The NCSC Cyber Essentials requires multi-factor authenticationwhere it is available, and the SRA also published guidance in 2018 which recommended the use of MFA where possible. 47. The Commissioner believes that the use of MFA was a comparably low cost preventative measure which Tuckers should have implemented, with there being a number of both open and proprietary/commercialMFA solutions widely available that are compatible with-· 48. The use of MFA substantially increases the difficulty of an attacker entering a network via the exploitation of a single username/password. Had MFA been used, it could have substantially supported Tuckers in preventing access to its network. The Commissioner is cognisant of the fact that Tuckers is unable to confirm exactly how the attacker entered its 16, • Information Commissioner's Office network - however, the exploitation of a single username and password is a common exploitation method and is likely to be one of two possible entry methods into the Tuckers network. The lack of MFA accordingly created a substantial risk of personal data on Tuckers' systems being exposed to consequences such as this attack. 49. Taking into consideration the highly sensitive nature of the personal data that Tuckers was processing, as well as the state of the art of MFA, and the costs of implementation,Tuckers should not have allowed access to its network using only a single username and password. In doing so, it did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by Article 5(l)(f) GDPR. 50. For the same reasons, the Commissioner considers that Tuckers also failed to meet the requirements of Article 32(l)(which required appropriate measures to be put in place to ensure the ongoing confidentialitintegrity and availability of its data processing systems and services. • Patch Management 51. Following proceeded to check the state of the-environment. - provided a number of commands to validate whether a had been compromised via the vulnerabilitone of which showed "significant indication" of this. - released a mitigation step for this vulnerabilony 19 December 2019. It provided a patch to fix the vulnerabilon 19 January 2020. Tuckers stated to the Commissioner that it installed the patch in June 2020, more than four months after the patch was released, 17, • ICO. Information Commissioner's Office and accepted that the attacker could have exploited its vulnerability during the un-patched period. 52. With regards to "state of the art", it is apparent that- had announced on 17 December 2019 that it was aware of the vulnerability CVE- - and provided mitigation steps to prevent exploitationof it, with a patch to fix the vulnerabilitbeing released on 19 January 2020. At the time of becoming aware of the vulnerability, -advised in a published security bulletin on its website that it "strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to and - deployments". 53. On 27 January 2020, the NCSC published an 'Alert' that malicious actors were exploiting the CVE- vulnerability.The Alert said "the NCSC recommends following vendor best practice advice to mitigate vulnerabilitiesIn this case, the most important aspect is to install the latest updates as soon as practicable and to follow the vendor mitigation advice immediately [...] the NCSC also strongly advises organisations carry out searches across their networks to identify whether exploitation has taken place". Itprovided a link to a tool that detects the vulnerability. On 29 January 2020, the NCSC published a subsequent Alert on its website. Itprovided further details on how to detect the vulnerability. 54. On 8 April 2020, the NCSC published a joint advisory with the US Department of Homeland Security (CISA) titled "COVID-19 exploited by malicious cyber actors". Itexplained that CVE- and its exploitationhas been widely reported online since January 2020; it provided links to guidance on how to resolve the vulnerability. 18, • ICO. Information Commissioner's Office 55. On 28 April 2020, - published a security blog drawing attention to recent ransomware attacks. It explained that malicious actors were exploiting such vulnerabilitieas remote access without multi-factor authentication,older operating systems such as 'Server 2008' and the -vulnerability CVE- 56. The Commissioner has considered relevant industry standards of best practice, includingthe ISO27002 suggestion that organisations should define a timeline to react to notifications of potentially relevant technical vulnerabilitiesand once a vulnerability has been identified, associated risks should be identified and actions taken, such as patching the system to remove the vulnerability. 57. The Commissioner understands the CVE scored a CVSS of 9.8: A score of 9.8 is rated as "criticalThe 'NCSC Cyber Essentials' requires patches that are rated as 'high' or 'critical' should be applied within 14 days of the release of the patch. As stated, the patch was released in January 2020 and installed some five months later. In addition to the NCSC Cyber Essentials, the ICO's Security Outcomes guidance also recommends actively managing software vulnerabilitiesand the application of software update patches. 58. The SRA also published guidance in 2018 which highlighted the importance of maintaining up-to-date IT equipment/systems. 59. In terms of cost, the patch was available for free. The Commissioner accepts that whilst the cost of the patch was free, there are other cost implications, such as the cost of personnel to test the patch prior to deployment. However, in the Commissioner's view, this should not have 5The CVSSis an independent rating scale on how critical a vulnerability is. The CVSSscale is based on low, medium, high and critical, based on scores 19, • Information Commissioner's Office been a barrier to the prompt application of the patch given the sensitive personal data being processed. 60. Taking into consideration the highly sensitive nature of the personal data that Tuckers were processing, as well as the state of the security updates, and the costs of implementation for them, Tuckers should not have been processing personal data on an infrastructurcontaining known critical vulnerabilitiewithout appropriatelyaddressing the risk. In doing so, it did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by Article S(l)(f) GDPR. 61. The Commissioner further notes that Tuckers' own GDPR & Date Protection Policy states that "all software, operating system and firmware shall be updated on a regular basis to reduce the risk presented by security vulnerabilitiesTuckers speculated that it was unlikely the attacker would have exploited a vulnerabilitto gain access to the network, but then not executed the attack until August 2020, two months after initial access. However, this is a common attacker tactic used by advanced persistent threat groups. Accordingly, the Commissioner is not persuaded that the passage of time from June 2020 (when the patch was implemented) and August 2020 (when the attacker exfiltrateddata) casts significantoubt on the likelihood of this patching delay having given the attacker the opportunitythey exploited. In any event, even if the attack did not exploit this delay, the delay was nonetheless a significant deficiency in Tuckers' technical measureshat created the risk of serious incidents such as this. 62. Forthe same reasons, Tuckers also failed to meet the requirements of Article 32(l)(b)which required appropriate measures to be put in place to 20, • Information Commissioner's Office ensure the ongoing confidentialitintegrity and availability of its data processing systems and services. • Failure to encrypt personal data 63. Tuckers provided information during the Commissioner's investigation that the personal data stored on the archive server that was subject to this attack had not been encrypted. The Commissioner accepts that encryption of the personal data may not have prevented the ransomware attack. However, it would have mitigated some of the risks this attack posed to the affected data subjects. This is because effective encryption management, with appropriate protection of the decryption keys, can prevent an unauthorised party such as a malicious attacker from being ableto read the personal data once they have obtained access to systems. Such encryption would therefore have upheld the principles of confidentialitof the personal data, even in its exfiltrated form. 64. With regards to "state of the art", The Commissioner has taken into consideration relevant standard of best practice, including the ISO27001 requirement to implement cryptographic controls in compliance with all relevant agreements, legislation and regulation. NIST 800-53 also discusses how the selection of cryptographic mechanisms should be based on the need to protect the confidentialand integrity of organisational information.It says that the strength of a mechanism should be commensurate with the security category or classification of the information. The Commissioner understands that the Tuckers GDPR and Data Protection Policy identified client data as its most sensitive data, requiringthe highest level of protection. 65. The Commissioner's published guidance on encryption also states that it "considers encryption to be an 'appropriate technical measureand in 21, • Information Commissioner's Office cases where data is lost or unlawfully accessed and encryption was not used, we may consider regulatory action". The ICO's Security Outcomes guidance suggests implementing technical controls such as encryption to prevent unauthorised or unlawful processing of personal data. The SRA also published guidance in 2017 which highlights encryption as a cost effective step in keepingformation safe. 66. Althoughthe ICO does not endorse or recommend one particular encryption solution, the Commissioner understands that free, open-source encryption solutions are widely available, or, should Tuckers have wished to purchase specific court-bundlinsoftware with encryption capabilities, this is also commercially and inexpensively available. The Commissioner's experience ishat the use of encryption solutions is an industry norm within legal services, as would be expected. 67. Taking into consideration the highly sensitive nature of the personal data that Tuckers were processing, as well as the state of the art of encryption, and the costs of implementationTuckers should not have been storing the archive bundles in unencrypted,plain text format. In doing so, it did not ensure appropriate security, including protection against unauthorised and unlawful processingof its personal data, as required by Article S(l)(f) GDPR. 68. For the same reasons, Tuckers also failed to meet the requirements of Article 32(l)(awhich expressly cites the encryption of personal data as anappropriate security measure. Notice of Intent 69. On 7 September 2021, in accordance with s.155(5) and paragraphs 2 and 3of Schedule 16 DPA, the Commissioner issued Tuckers with a Notice of 22, • ICO. Information Commissioner's Office Intent to impose a penalty under s.155 DPA. The Notice of Intent described the circumstances and the nature of the personal data breach in question, explained the Commissioner's reasons for a proposed penalty, and invited written representationfrom Tuckers. 70. On 22 November 2021, Tuckers provided substantial written representationsin respect of the Notice, together with supporting documentation in relation to its finances. In answer to further questions posed by the Commissioner on 1 December 2021, Tuckers provided additionalinformationon 24 December 2021. 71. On 7 February 2022, the Commissioner held a 'representations meeting' to thoroughlyconsider the representations provided by Tuckers. At that meeting it was decided that a monetary penalty remained appropriate in allof the circumstances. Factors relevant to whether a penalty is appropriate, and if so, the amount of the penalty 72. The Commissioner has considered the factors set out in Article 83(2) of the GDPR in deciding whether to issue a penalty for the contraventionof Article S(l)(f(and 32(1)) particulariseabove. For the reasons given below, he is satisfied that (i) the contraventiare sufficiently serious to justify issuing a penalty in addition to exercising his corrective powers; and (ii) the contraventionare serious enough to justify a significant fine. (al the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them 23, • Information Commissioner's Office 73. The Commissioner considers that there have been a number of infringementsidentified in relation to Articles 5(GDPRthat have demonstrated Tuckers' approach to data protection compliance was not of an appropriate standard. 74. In its public communicatioof the breach, it stated that it held client informationrelating to over 60,000 clients. Tucker stated that, during the attack, a significant amount of personal data, including special category data, was unlawfully accessed and encrypted by the attacker. This included over 20,000 court bundles, of which 60 bundles were exfiltrated and released onto the dark web. 75. The personal data included within the bundles included special category data, and related to individuals that were particularly vulnerable, including children and individuals involved in significant crimes. This, in the Commissioner's view, increases the severity of this infringemegiven that this type of personal data required particularly high levels of security to be applied to it. 76. In terms of the duration of the infringemethe Commissioner considers that the contraventioperiod for this breach persisted over at least part of the period from 25 May 2018 (i.e. the date on which GDPR came into force) until 25 August 2020 (i.e. the date on which Tuckers reported the breach to the Commissioner and shut down the relevant system, preventing any further possible authorised access). The Commissioner notes that Tuckers failed to have MFA in place, which was recommended from at least 2016; it resolved this issue by 19 November 2020. As explained above, the patch management contravention spanned the period from January to June 2020. The encryption contraventiois likely to have persisted over a longer period. 24, • ICO. Information Commissioner's Office 77. In terms of the assessment of damage suffered by affected data subjects, the Commissioner has regard to Recital 85 GDPR which explains that "physical, material or non-materiadamage to natural persons such as loss of control over their personal data or limitation of their rights, discriminationidentity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentialiof personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned". 78. The Commissioner finds that the release of personal data of the type in this case on to the dark web in particular, is likely to increase distress to the affected individuals, not least given the vulnerabiof some of the individuals to whom the data related. 79. Some of the exfiltrated data includes image files in relation to allegations of_, and bundles that identify the complainants;documents which identify - and ; and th~ of witness to crimes. In some instances, the compromised data included legally professionally privileged information between clients and Tuckers. 80. Further,the exfiltrated data included personal data relating to a prisoner's child (in relation to access to the child). Recital 38 GDPR explains that children merit specific protection with regard to their personal data. The child's privacy has been breached, with intimate details of their family life published online. (bl the intentional or negligent character of the infringement 81. The Commissioner considers that this personal data breach occurred due to a criminal and malicious cyber-attack that exploited negligent security practices. 25, • ICO. Information Commissioner's Office 82. Tuckers were aware prior to the attack that its security was not at the level of the NCSC Cyber Essentials. In October 2019, it was assessed against the 'Cyber Essentials' criteria and failed to meet crucial aspects of its requirements. 83. The NCSC describes Cyber Essentials as: "A simple but effective, Government backed scheme that will help you to protect your organisation,whatever its size, against a whole range of the most common cyber attacks [...] Cyber attackcome in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They're the digital equivalent of a thief trying your front door to see if it's unlocked. Our advice is designed to prevent these attacks". 84. Given the personal data that Tuckers was processing, including special category data of very vulnerable individuals, the Commissioner believes that it is reasonable to expect that the security within Tuckers should have not only have met, but surpassed the basic requirements of Cyber Essentials. The fact that some 10 months after failing Cyber Essentials it had still not resolved this issue is, in the Commissioner's view, sufficient to constitute a negligent approach to data security obligations. 85. In addition, Tuckers were accredited by the Law Society's Lexcel Legal Practise Quality Mark. Its March 2018 Standards stated that law practises should be accredited against Cyber Essentials. Thisher reinforced the conclusion that Tuckers should have had the requisite measures in place to achieve accreditation by at least October 2019, and when it failed its Cyber Essentials assessment, it should have quickly and promptly resolved the inadequacies. Had it done so, it could have demonstrated a 26, • Information Commissioner's Office much stronger approach to compliance and would have greatly reduced the likelihood of this personal data breach from occurring. 86. Tuckers is also regulated bythe SRA. In 2017, the SRA warned its organisations that the legal sector was an obvious target for cyber criminals.Itstated that "solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality". 87. Italso provided security guidance in 2017, in its "IT Security: keeping information and money safe" publication; and in 2018, in its "Technology and Legal Services". Both provided advice and guidance, such as encryption, secure remote access and up to date operating systems and software,that if followed, would have significantly reduced the likelihood of this attack being successful. 88. In addition, the Commissioner provided free assessment tools kits for controllers to use to support them in complying with the GDPR. One such toolkit (regarding 'Records Management') provided advice and guidance on deleting personal data when it is no longer necessary (i.e. when the retention period has expired). 89. Further negligent practices by Tuckers that were of concern to the Commissioner included: • Failing to implement MFA on its- remote access solution. - advised in 2016 that you should have MFA in place for production environments, and the NCSC recommended in 2018 that you should have MFA in place for remote access solutions. 27, • ICO. Information Commissioner's Office • Processing personal data on the operating system _, which ended mainstream support in 2015, and ended extended support in January 2020, meaning that it was no longer supported, and therefore received no security updates. • Not applying a high-risk security patch until four months after it was released, despite it being listed as 'critical'. This was particularly negligent given that the NCSC had published an Alert drawing attention to it. • Failing to apply encryption techniques to data at rest, despite ICO Guidance from 2018 recommending it; • Storing court bundles after its 7-year retention period, some of which were exfiltrated through this attack. A failure to adhere to or to justify departures from its retention practices creates concerns about compliance with Article S(l)(e) GDPR, which requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" 6• (cl any action taken by the controller or processor to mitigate the damage suffered by data subjects 90. Tuckers assessed that, in relation to the individuals of the 60 exfiltrated court bundles, these were likely to result in a high risk to individuals; 6Tuckers stated to the Commissioner at one point during h"this is where criticism of us is most justified and where we are looking to rebuild our systems without repeating the sins of the past. We have been reasonably goodmanaging our case management environment and central archives on the basis that we do not store items for longer than necessary where possible. However, the files that were accessed were in locations that were not being proactively managed well enough with regards ensuring that data that was still being stored outside of our retention periods was then beThe Commissioner notes, however, that subsequent representations from Tuckers suggested that its retention of the compromised files was justified. 28, • ICO. Information Commissioner's Office therefore, in line with Article 34 GDPR requirementit notified the affected data subjectsof the personal data breach7, using the following methods: letters and emails sent on 19 October 2020; social media notificationand website publication. 91. In addition, Tuckers commissioned third party support (i.e. who provided incident response support following the breach. It also reported the incident to Action Fraud, the National Crime Agency, the Metropolitan Police, the NCSC, and the SRA. (dl the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 92. The Commissioner is also satisfied that Tuckers was responsible for multiple breaches not only of Article S(l)(but also of Article 32, not least through its failure to implement MFA on its remote access solution and its patchmanagement inadequacies. The Commissioner finds that Tuckers failed to meet the requirements of Article 32(l)(bGDPR, which required appropriate measures to be put in place to ensure the ongoing confidentialityintegrity and availability of its data processing systems and services.In relation to the lack of encryption of the archived court bundles, Tuckers failed to meet the requirements of Article 32(l)(a) GDPR, which lists the encryption of personal data, inter alia, as an appropriate security measure. (el any relevant previous infringements by the controller or processor 7Savefor the 7 individuals for whom Tuckers had no contact details for (see Footnote 3). 29, • Information Commissioner's Office 93. The Commissioner is unaware of any previous data protection infringements by Tuckers. (fl the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement 94. Tuckers were fully cooperative with the Commissioner's investigation. (gl the categories of personal data affected by the infringement 95. The compromised bundles contained a range of categories of personal data, and special category data as defined by Article 9(1) GDPR. Specifically those categories included: • Basic Identifiers • Health Data • Economic and Financial Data • Criminal Convictions • Data revealing racial or ethnic origin 96. Given the nature of court bundles, however, the personal data affected by this attack was not confined to discrete fields such as those listed above. Instead, the data included narrative descriptions of facts, allegations and opinions about the data subjects referred to in those bundles. In total, 972,191 individual files were encrypted. Of these, 24,711 related to court bundles which contained a wide range of personal data. Of the 24,711 court bundles, 60 were exfiltrated by the attacker and published on the dark web. Of these 60 bundles, 45 related to civil cases and 15 related to criminal cases. 30, • ICO. Information Commissioner's Office 97. In relation to the civil proceedings, Tuckers stated that "the bundles are bundles that were prepared by us - but again bundles that were prepared for use in connection with either a prelimior final hearing in relation to the matters.In civil proceedings it is our responsibility (we do only Claimant work) to prepare the bundles for use in connection with the Court hearings." 98. In relation to the criminal proceedings, Tuckers stated that "all the material is material that was served on Tuckers by the prosecution and would therefore have been subject to use in open Court proceedings. The bundles do not include any documentation that we have prepared, for example letters providing legal advice or draft statements prepared in connection with the defence.It is only prosecution evidence served on us - which includes documentation and videos relating to CCTV/Body Worn Video served on". The Commissioner has given weight to the fact that some of the compromised data will have been referred to in open court proceedings, but does not consider that this eliminates the serious prejudicial consequences of this attack, which resulted in extensive and sensitive data being made available to unauthorised persons in ways that are very different from references in court during the course of proceedings. 99. Tuckers explained that the bundles included a comprehensive set of personal data, including medical files, witness statements, name/addresses of witnesses and victims, and alleged crimes, including particularly heinous crimes such as rape and murder. 100. It stated that some of the clients involved in its cases are vulnerable in terms of their mental or physical wellbeing, with such information being included as part of those clients' bundles. 31, • ICO. Information Commissioner's Office 101. It confirmed that witness statements were contained in many of the compromised bundles. 102. Tuckers providedthe Commissioner with a summary of each of the exfiltrated bundles, which included personal data relating to vulnerable individuals as well as very sensitive personal data, including: • • • • • • • (hl the manner in which the infringement became known to the supervisory authority,in particularwhether, and if so to what extent, the controller or processor notified the infringement 103. Tuckers notified the Commissioner via a self-reppersonal data breach form on 25 August 2020, one day after becoming aware of the 32, • Information Commissioner's Office security incident, and the same day that it determined the security incident had resulted in a personal data breach. (il where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures 104. Not applicable. (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 105. Not applicable. (kl any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectlyfrom the infringement 106. The Commissioner has considered the following aggravating factor in this case: • The Commissioner's Regulatory Action Policy statesat "In data protection cases, whether the relevant individual or organisation is certified by a body that has been accredited under Article 43 of the GDPRor has failed to follow an approved or statutory code of conduct", the commissioner reserves the right to take this into consideration as an aggravating factor. The SRA has a published 'Code of Conduct for Firms'. Of particular relevance here are the requirements to: [Para 2.l(a)] "Have effective governance structures, arrangementssystems 33, • ICO. Information Commissioner's Office and controls in place that ensure [...] [ compliance] with all the SRAs regulatory arrangements as well as with other regulatory and legislative requirements,which apply to you"; [Para 2.5] "[. ..] identify, monitor and manage all material risks to your business"; [Para 3.1] "[. ..] keep up to date with and follow the law and regulation governing the way you work"; and [Para 5.2] "[. ..] safeguard money and assets [including documents] entrusted to you by clients and others". The Commissioner considers that Tuckers has failed to meet these standards of the Code. 107. The Commissioner has considered the following mitigating factors in this case: • Tuckers has proactively sought to address the security concerns and engaged with third party experts to increase the security of its systems, including (a) On 19 November 2020 it completely separated from its legacy infrastructureand updated to a environment; (b) Itimplemented MFA access to all other remote access environments; (c) Ithas purchased database and software capabilities as a service where - will be responsible for updating and patching the core infrastructuredatabase and software; 34, • ICO. Information Commissioner's Office (d) It is engaging with 'Cyber Griffin' at the City of London Police and has made it mandatory for all of its employed staff to attend their baseline briefings; (e) It has also agreed to invite 'Cyber Griffin' to do an audit of its security procedures prior to applying again for Cyber Essentials in the first instance and, Cyber Essentials Plus shortly thereafter; (f) It is in the process of completing its purchase of licences from-to run-on their user accounts, in order to provide greater security in relation to the devices that connect to its network; it has also engaged the services of a- network engineer to support them in configuring this. Once this is done it intends to apply for NCSC Cyber Essentials Accreditation; (g) It has automated the deletion of personal data within its case management system on the expiry of the retention period. For personal data stored outside its case management system, it is using an external consultant to identify tools built into its new environment that will support the classification, and automated deletion, of personal data. (h) It has encrypted data on Tuckers' systems through -and -encryption. This is so by design. (i) It has transferred all client data to which has ensured the effective application of Tuckers' data retention policy to all such data 35, • ICO. Information Commissioner's Office (j) It has continued to improve training and information security awareness throughout its business, including through weekly communications on cyber risks and awareness. This, in turn, has led to the increased reporting of suspicious activity, thereby improving the security of Tuckers' systems (k) It has made improvements to the management of Tuckers' antivirus and privileged accounts, with local admin end users having been removed. (I) It has addressed the human resourcing issues and now utilises ahird-party specialists as required and has expanded its IT team. There are now four members of staff including a Systems Manager who is responsible for ensuring that all third-partcontracts and services that Tuckers uses for specialist support are well managed (m) Penetration testing has been carried out and is regularly scheduled. All critical and high-risk issues identified in those tests have been remedied Summary and amount of penalty 108. For the reasons set out above, the Commissioner has decided to impose a financial penalty on Tuckers. The Commissioner has taken into account the size of Tuckers, publicly available information regarding its finances, and the representations made by Tuckers as to its financial position. He is mindful that the penalty must be effective, proportionate and dissuasive. 36, • ICO. Information Commissioner's Office Calculation of the penalty 109. Following the 'Five Step' process set out in the RAPthe Commissioner has arrived at an appropriate penalty amount as follows: Step 1: An initial element removing any financial gain from the breach. 110. The Commissioner noted that there was no financial gain or benefit to Tuckers from this breach. Step 2: Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identifiedat section 155(2)-(4) DPA. 111. This refersto and repeats the matters listed in Article 83( 1) and (2) as set out above. The breach was a negligent one which involved personal data of those individuals linked to court cases for criminal and civil proceedings. The affected personal data involved (but was not limited to) basic identifiers, financial and economic data and other special category data. The Commissioner has outlined above a number of failings identified in respect of Tuckers' steps to take appropriate organisational and technical measures. These failings resulted in 972,191 individual files being encrypted. Of these, 24,711 related to court bundles which contained a wide range of personal data. Of the 24,711 court bundles, 60 were exfiltrated. 112. The Commissioner acknowledges Tuckers' cooperation throughout the investigatioand the steps taken by Tuckers to contact the individuals affected by the breach in line with Article 34 GDPR. 37, • ICO. Information Commissioner's Office 113. The duration of the infringemenwas up to 2 years and 3 months, though the precise period varied between the particular contraventions. 114. Based on the above, the Commissioner finds that the starting point for any penalty in respect of this breach is 3.25% of Tucker's annual turnover for 30 June 2020. Step 3: Adding in an element to reflect and aggravating factors {Article 83{2){k)). 115. The Commissioner notes Tuckers' failure to comply with the SRA code of conduct, but has not applied any increase to the penalty percentage of 3.25% in this instance. Step 4: Adding an amount for deterrent effect to others. 116. No increase has been applied for this factor in this instance. Step 5: Reducing the amount to reflect any mitigating factors including ability to pay. 117. Prior to serving the Notice of Intent, the Commissioner noted the steps taken by Tuckersto avoid future breaches in light of this incident (including purchase of software, automated deletion, implementatofn MFA and staff trainingHe believed that these were processes which should have been in place in any event, and applied no reduction for this. 118. The Commissioner has gone on to consider the extensive representations made by Tuckers in response to the Notice of Intent, including representationsmade in respectof the proposed penalty sum and the impact of a penalty on the firm. The Commissioner is satisfied that 38, • ICO. Information Commissioner's Office Tuckers has submitted significant representationsregarding the circumstances of the incident and the subsequent further remedial measures implemented following the breach, including: Additional IT staff members Increased training and professional penetration testing 119. The Commissioner has also considered: - Tuckers financial position - Additional information which was provided which narrowed the scope of the Commissioner's findings in relation to the contravention - Representations made in relation to managing IT staff illness/shortages - The important work Tuckers do in protecting vulnerable individuals - Further clarification that the infringemenidentified were purely in relation to Tuckers' archive system 120. Taking into account all of the factors set out above, the Commissioner has decided to impose a penalty on Tuckers of £98,000 (ninety-eight thousand pounds). Payment of the penalty 121. The penalty must be paid to the Commissioner's office by BACS transfer or cheque by 29 March 2022 at the latest. The penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 122. There is a right of appeal to the First-tier Tribunal (InformaRights) against: 39, • ICO. Information Commissioner's Office (a) The imposition of the penalty; and/or, (b) The amount of the penalty specified in the penalty notice 123. Any notice of appeal should be received by the Tribunal within 28 days of the date of this penalty notice. 124. The Commissioner willot take action to enforce a penalty unless: • the period specified within the notice within which a penalty must be paid has expired and allany of the penalty has not been paid; • all relevant appeals against the penalty notice and any variation of it have either been decided or withdraand • the period for appealing against the penalty and any variation of it has expired. 125. In England, Wales and Northern Ireland, the penalty is recoverable by Order of the County Court or the High Court. In Scotland, the penalty can be enforced inhe same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. 126. Your attention is drawn to Annex 1 to this Notice, which sets out details of your rights of appeal under s.162 DPA. 40, • ICO. th Information Commissioner's Office Dated the 28day of February 2022 Stephen Eckersley Director of Investigations InformatioCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 41, • ICO. Information Commissioner's Office ANNEX 1 Rights of appeal against decisions of the commissioner 1. Section 162 of the Data Protection Act 2018 gives any person upon whom a penalty notice or variation notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: GRC & GRPTribunals PO Box 9300 Arnhem House 31 Waterloo Way Leicester LEl 8DJ Telephone: 0203 936 8963 Email: grc@justice.gov.uk 42, • ICO. Information Commissioner's Office a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The noticeof appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 43, • ICO. Information Commissioner's Office 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another advAt the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (General Regulatory Chamber) are contained in sections 162 and 163 of, and Schedule 16, the Data Protection Act 2018, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (StatutorInstrument2009 No. 1976 (L.20)). 44