On 16 April 2025 the Information Commissioner’s Office (ICO) fined Liverpool law firm DPP Law Ltd £60,000 for breaching the UK GDPR after it suffered a cyber attack in June 2022. Whilst DPP Law say they are going to appeal this fine, what makes this worthy of note for all of us in the United Law network is that in recent years the ICO has rarely taken action for breaches of the UK GDPR (as opposed to PECR fines which are more common) and this is the second time the ICO has made an announcement about a law firm breaching the UK GDPR in recent years. The previous announcement was on 11 October 2024 when the ICO announced it had issued a UK GDPR reprimand to a law firm following a data breach that affected over 8,000 individuals. Again this resulted from the firm suffering a cyber attack during which an unknown third party gained access to its secure cloud-based server.
Focusing on the most recent incident, the ICO announcement explained that the cyber security incident impacted access to the firm’s IT systems for over a week and involved the cyber attackers taking over 32GB of data without the firm’s knowledge. The firm only became aware of this loss of data after being contacted by the National Crime Agency who advised the firm that information relating to its clients had been posted on the dark web. In addition the firm did not recognise that a reportable personal data breach had occurred and resultantly no personal data breach report was made to the ICO until 43 days after the firm became aware of it (as opposed to the report being made within 72 hours of the firm becoming aware which is what is required by the UK GDPR).
Ultimately the ICO found DPP Law had failed to put appropriate measures in place to ensure the security of personal data. This is a fundamental requirement of controllers under the UK GDPR in respect of personal data they process, which for law firms is all the more important due to the large volumes of personal data held which will inevitably include special category personal data.
Our data protection experts highlight the key takeaways for our members:
- All controllers must understand their obligations under the UK GDPR which should include the ability to identify a personal data breach, assess when a breach is reportable to the ICO and if required make the necessary report in a timely fashion.
- How controllers respond to breaches and how they are mitigated is key both in terms of the ICO’s response to the breach and the impact on affected data subjects (and ultimately the firm’s reputation).
- Having appropriate security measures in place to protect personal data is key and must be kept under constant review and enhanced as appropriate over time. Multi-factor authentication for one is essential for all accounts (including admin accounts) as are appropriate access controls and processes for installing the latest security patches without delay.
- All firms need reliable, reputable third party IT support and IT providers and appropriate due diligence should be carried out and contracts put in place to seek to ensure those third parties (and their services and products) comply with the UK GDPR.
Ultimately all businesses have to accept that personal data breaches and cyber security incidents will occur but the robustness of IT systems, training, policies and procedures and the response to a breach is something which is within our control.
