In the wake of the recent cyber-attacks on two Barristers’ chambers, the Lawyer reported that city firms are getting tougher with their counsel regarding cybersecurity posture. Overall, statistics show that the professional services sector is still one of the most targeted by hackers. Doxing sites hold data stolen from law firms all over the world. The key concern is that such data includes personal data and client confidential information relating to sensitive matters.
The attacks on chambers have demonstrated the requirement to enhance the cybersecurity position of some of the country’s most traditional legal outfits. This is not the beginning of law firms being targeted by both threat actors and nation states, with historic attacks reaching back as far as ten years.
Not only is there concern with organisations that receive data from a law firm, but also those organisations who have a foothold of access within the firm itself to provide services. The sophistication of Kaseya and Solarwinds has shown that a degree of privileges across a law firm’s network can act as a ‘back door’ for malicious software. Whilst this is troubling for firms, it also shows the difficulty in managing an incident where the majority of information is required from another entity reeling from an attack.
The risk profile of a law firm spreads across multiple practice areas and business services. As firms move towards automation and outsourcing, client data is shared to provide the best service to the client. Often when considering third party risk, employees are overlooked due to the client focus.
When considering the response to these incidents, timing is critical. A law firm is reliant on the relationships with its clients but also its staff. There may be legal and regulatory requirements to notify various entities in the event of a cyber incident.
Client relationship partners may want to advise their clients as soon as possible. However, early notification may result in more questions than answers. Often during these incidents, the response team is working to investigate and contain the extent of the compromise.
There are many questions without answers and those answers benefit from taking some further time. We often advise clients to hold for a slightly longer period in order to collate the detail to support their client’s from the outset, rather than elevate concern at an early stage.
Notwithstanding the risks outlined above, the most critical issue is the loss of information which would ordinarily be subject to legal privilege. Loss or publication of such information may have a critical impact on an ongoing legal case or severely disadvantage a client in ongoing negotiations.
Many law firms outsource a number of employee functions such as payroll, employee assistance programmes and benefits. Typically, those platforms contain sensitive personal data which can have a dramatic impact in the event of a personal data breach.
The response to an employee data compromise is perhaps even more critical than client response, as the employees are required to be onside from the outset. A number of data breach claims we defend have come from disgruntled ex-employees or those who departed in the wake of an incident.
It is not surprising that third party relationships are called into question following an incident. The contractual obligations most questioned are around the cybersecurity requirements and notification provisions. This really is demonstrative that firms should seek to get these in-line pre-incident. A robust framework will allow for smoother notifications from providers, in addition to a broader awareness for the firm in the first place to develop its communications strategy.
It is often the case that those who advise so extensively on cyber vulnerabilities are also the targets and victims. Robust plans and relationship management is critical to responding to any cyber incident and the fact that city firms are now taking a more pragmatic approach should lead the way for others to follow.