The 72-Hour Clock: A UK Data Breach Story

00:00

Check this out. 7:43 a.m. Tuesday. Priya is on a train somewhere between Woking and Clapham Junction. She's standing with coffee in hand, phone in the other, an email arrives. It looks exactly like a DocuSign request. You know, the blue banner, the little envelope, the review and sign button.

00:23

The sender is a client name she recognizes, apparently conveyancing matter, nothing unusual. She taps the link without thinking. The page that loads asks her for Office 365 credentials. She enters them as her coffee gets cold in her hand. Now, Priya Sharma is the compliance officer at Mirza Holt Solicitors in Guildford.

00:47

She's been in that role for 3 years and she'd raised cybersecurity at the last two partnership meetings. She'd sent a draft IT policy to Marcus Holt in February, in March, and then in April. Marcus had been building this firm for 26 years. He trusted the IT support contract they'd had since 2014 on £380 a month. A man called Dave who came in quarterly and checked everything was

01:18

fine. He had last visited back in January. So, by 9:15 a.m., Priya's credentials had been used to log in to the firm's file system from an IP address in Bucharest. By 10:30 a.m., 17 gigs of data had begun moving quietly toward an external server, yet no one noticed.

01:45

There were no alerts, there was no monitoring system, there was Dave and Dave's mobile number which went to voicemail. It's paralegal named Josh who eventually spots it. Not because of any security system, but because the shared drive starts misbehaving.

02:04

Uh and he can't open a file he needs for a 2:00 p.m. court bundle. He mentions it to the office manager. The office manager calls Dave. Dave calls back at 11:47 and suggests restarting the server. The server restarts. The exfiltration pauses, then resumes.

02:24

The files that left the building that morning included medical records from personal injury claim, uh signed witness statements in a contested divorce, bank statements from a probate matter, immigration documents, passports, biometric residence permits, home office correspondence for 41 clients.

02:49

And the firm's entire client database, i.e., names, addresses, dates of birth, national insurance numbers, 412 clients, 16 years of history. At 1:30 p.m., Marcus finally asks the question that's been sitting in the room since lunch.

03:14

Do we have to tell our client clients? Priya takes a breath and says, "Under Article 33 of UK GDPR, yes. We have 72 hours from the point of discovery to notify the ICO. Not when we fix it, from when we knew of the breach." Marcus, now looking older than he did this morning, asks about the SRA, to which Priya replies, "We are required to notify them of any serious breach, and

03:49

this qualifies." She slides a printout across the table and says, "Our privacy policy was last updated in October 2018. It doesn't mention special category data, and we have no documented legitimate interests assessments." She lets that land.

04:10

At that point, Marcus admits, "So, the breach isn't the start of our problems. The breach is just when we found out we had them." What follows is not dramatic. It is grinding and expensive and long ICO investigation, SRA supervisory engagement, a forensic firm at £4,500 a day, client notification letters to clients who threaten claims, one journalist who somehow gets hold of the

04:42

story, a professional indem- indemnity renewal that comes in 34% higher. Poor Dave, his contract is terminated. A problem managed security provider is onboarded at 12 times the cost. The case management system, the one that hadn't received security patches since the vendor stopped supporting back in 2019, is finally replaced.

05:08

So, you have 7 months at £85,000. So, here is the note you need to hear before this ends. Messer Holt Solicitors does not exist. I just made them up. But, the ICO's enforcement register does exist, and it contains the names of real law firms, real fines, and real findings of inadequate technical controls.

05:33

The SRA's thematic review is real. The 72-hour clock is real. The Article 33 obligation is real. The gap in special category data documentation is, according to docu- data protection lawyers, one of the most common and least understood compliance failures in UK legal practice right now. The question for most firms isn't whether they are exposed, it's whether they'll

06:02

find out the same way Mercer Holt did.