Law firms understand the implications of data breaches more than most types of business, so they should ensure their own systems are secure, especially in advance of GDPR, and they should be advising their clients to do the same.
Cybersecurity has dominated the global headlines during 2017. In May, ransomware attacks - allegedly emanating from North Korea - caused chaos in the NHS. The following month, James Comey, the former head of the FBI, gave evidence in which he claimed that he had "no doubt" that Russia had attempted to interfere in the 2016 US presidential election by hacking into voter databases. In September, it was revealed that credit ratings company Equifax was hacked and the confidential data of 143 million people was compromised. Law firms understand the implications of data breaches more than most types of business, so they should ensure their own systems are secure, especially in advance of GDPR, and they should be advising their clients to do the same.
What are the main fears around cybersecurity for law firms and their clients?
Data protection breaches
Currently, the Data Protection Act is the primary piece of legislation with which law firms need to comply - but they must additionally abide by the Solicitors Regulation Authority (SRA) rules, under which they are responsible for keeping any client data confidential. If client data is compromised, the financial and reputational impact on a firm can be significant and may involve:
- An investigation by the Information Commissioner’s Office (ICO)
- An ICO fine of up to £500,000
- Enforcement action by the SRA
- Loss of trust and business by existing clients
- Loss of future business from potential clients due to adverse publicity
The General Data Protection Regulation (GDPR) comes into force across the EU from 25th May 2018. It increases maximum fines for data breaches to €20 million or 4% of annual global turnover, introduces a variety of new data protection rules and tightens up existing regulations. According to recent research commissioned by CenturyLink, only 25% of firms believe they are currently compliant with the requirements of GDPR.
Firms which embark upon digital transformation without putting in place effective cybersecurity will suffer the most in case of an attack. Documents which have been stored on servers which are subsequently hacked can be lost or damaged, and home based fee earners who are reliant upon IT infrastructure which allows them to work remotely may be unable to do their work, leading to losses in productivity and delays for clients.
Why are law firms vulnerable and what can they do to improve their cybersecurity?
Although some types of cyberattacks may be motivated by hacktivists keen to make a name for themselves, a large element of cybercriminality takes place for financial gain. Law firms are particularly vulnerable because they often hold valuable and sensitive client data. David Mahon, VP & Chief Security Officer at CenturyLink, explains: "Law firms suffer from the same posture [as many businesses] of not having paid attention to their cybersecurity for years. The thing that law firms need need to realise is that they are holding highly sensitive data on their clients and all they have to do is look at some of the breaches [of other sectors] to find out why they are at risk. An example is the breach of PR Newswire by hackers to obtain pre-loaded press releases containing financial information for purposes of insider trading [ie to trade on the basis of the information before it was made public]. Other than PR Newswire, who else is going to have that sort of information? The answer is law firms involved in M&A activity.” Another example of why the legal sector could be specifically targeted is a 2014 case in which five Chinese military officers were indicted by a grand jury in the Western District of Pennsylvania for computer hacking; this included intercepting internal communications that would help Chinese competitors in litigation with American companies by providing “insight into the strategy and vulnerabilities of the American entity.”
Culture and people
Human mistakes are the biggest challenge to data security faced by law firms, according to the CenturyLink research. Employees and contractors often provide a soft target for hackers and are sometimes a threat themselves. According to Mahon: "The standard breach still occurs by exploiting the human element; phishing employees. Typically attackers are going to rely on employees making a mistake and then exploiting them; getting them to click on a link that downloads malware which grabs their credentials etc”. So it’s vital that firms increase staff awareness of cybersecurity through regular training.
Moving away from legacy on-premise IT systems to a cloud or colocation solution can lead to improved cybersecurity, eliminating the security skills gap by enabling the provider to focus on ensuring that security is constantly being optimised and updated, thereby minimising risks posed by external hacking.
However, technical measures can only ever go some way to tackling cybersecurity. According to Mahon: "One of the major threats is not having a well thought out cybersecurity strategy… You have to move from being a technical solution based thinker to a threat focused thinker.”
How can law firms advise their clients regarding cybersecurity?
Firms which have tackled their own cybersecurity challenges will be much better placed to advise their clients in this regard. Understanding the theory of the compliance regime is one thing, but the practicalities of putting in place the necessary data protection and cybersecurity measures brings a greater overall awareness of the difficulties. Some of the ways in which firms can advise their clients include:
- Explaining their key data protection duties
- Carrying out a data protection audit – both under the existing rules and in advance of the GDPR
- Advising them on how to implement practical solutions
- Running staff training on data protection issues
- Advising them to put relevant technical measures in place, possibly in conjunction with expert IT providers