In the recent past there has been a spate of law firms falling victim to cyber-attacks. In August 2024, the Law Society Gazette reported that the number in the UK had risen from 538 to 954. Law firms remain vulnerable to cyber-attacks, not just in relation to client accounts but also in relation to IT systems storing client files.

In 2022, DPP Law, based in Bootle with additional offices in Birmingham, Liverpool, London and Tolworth, was subject to a cyber-attack which resulted in 791 client files being uploaded onto the dark web; this included files in relation to criminal cases, family and matrimonial cases as well as actions against the police. On 14 April 2025, the Commissioner served a penalty notice (“PN”) on the law firm in the amount of £60,000 having found that the firm breached Articles 5(1)(f) and 33 of the UK General Data Protection Regulation. In doing so, the Commissioner had regard to the judgment in VB v Natsionalna agentsia za prihodite (Case C-340/21) [2024] 1 WLR 2559 that the fact  that a cyber incident took place is not sufficient to make a finding that a controller has infringed Articles 5(1)(f) and 32 (see PN §38).

At the core of this breach was a user account which had access privileges far greater than was necessary. The account was an administrator account for a legacy case management system. The account had a limited role on the firm’s network; however, had full administrator rights across the network. The firm had been aware of the existence of the account for at least 11 years prior to the cyber-attack, but did not know the password and could not reset it – the password was only known by a third-party supplier. The legacy case management system was taken out of service in 2019 and the service agreement with the new supplier in relation to the legacy system account came to an end in 2021. This period seems to have been insufficient to meet the terms of the firm’s data retention policy because it argued that the system remained operational because the firm still required access to data in the legacy system. The firm appears from the terms of the penalty notice to have attempted to minimise its own role in the incident and shift blame onto its external IT suppliers. This apparent argument was given short shrift by the Commissioner. The full penalty notice is worthy of reading as it contains a number of useful lessons for not just law firms, but all data controllers.

The way in which the Commissioner calculated the penalty that it imposed is also worthy of consideration. The Commissioner does not issue that many financial penalties for breaches of the UK GDPR or Data Protection Act 2018, so it is always useful to gain an insight into how it applies its policy in practice. The Commissioner adopts a five-step approach, and this is dealt with at §§ 135-164 of the PN. Taking into account the seriousness of the contraventions and the firm’s turnover, the Commissioner determined that the starting point for computation of the penalty was £23,800. This represented 0.68% of the firm’s turnover for the 2023/24 financial year. In terms of aggravating and mitigating factors, the Commissioner decided that there were no mitigating factors and that there were not aggravating factors which merit adjustment of the amount.

However, the Commissioner determined that a penalty of £23,800 would be neither effective nor dissuasive (see PN §157). The Commissioner considered that a penalty of £60,000 would be more appropriate, which would represent 1.7% of the firm’s turnover for the 2023/24 financial year (PN §160). The firm sought to argue that the Notice of Intent (which was in the sum of £60,000) was not inline with the Penalty Notice issued to another firm of solicitors in 2022 and sought to argue that a penalty of £20,000 would be more appropriate. The Commissioner rejected this position for a number of reasons, including that the 2022 penalty notice was calculated under previous guidance for calculating monetary penalties and that it is not appropriate to compare enforcement action in previous cases because each case turns on its own individual facts and circumstances. (PN §163(a)). Furthermore, in calculating the fine to be imposed, due regard had to be given to all of the factors set out within Article 83(2) and that these differ between cases requiring consideration on the facts of each individual case (PN §163(c)).

The controller has 28 days to appeal the PN and/or the amount imposed in the PN to the First-Tier Tribunal or must pay the penalty by 19 May 2025.

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.