Information security is a substantial risk for the legal sector. Law firms are an attractive target to cyber criminals due to the vast wealth of personal and private information in their possession.
Cyber-attacks on UK law firms increased by a fifth between 2014 and 2016, with nearly three quarters of the country’s top 100 targeted in 2015, according to PwC’s 25th Annual Law Firms’ Survey.
Despite the increasing threat, and the potential financial and reputational damage following a breach, a survey by online legal magazine, Legal Week, found that only 35% of law firms had a response plan in place for cyber-attacks. This is compared to 52% for non-legal professions.
With the European Union’s General Data Protection Regulations (GDPR) due to come into force in May 2018, legal firms that fail to appropriately secure personal data will face severe fines in the event of a breach. The regulations could affect organisations throughout the world because they apply to any company that handles the personal data of Europeans. The GDPR defines a personal data breach as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Fines imposed following a breach could be as much as 4% of a firm’s annual global turnover, or €20 million, depending on which is greater. Furthermore, should a firm be fined under GDPR they are also likely to face personal litigation from the individuals whose data is lost. The total cost of a breach could therefore be far greater than the fine, and might see senior partners being taken to court and even imprisoned should the breach show negligence.
To understand your legal data protection obligations, it is necessary to understand what is considered personal data. This is an area that can cause confusion. An individual’s name? That’s certainly personal information. But what about an email address? Or a photograph? Or an ID number that, when combined with other information you hold, could be used to identify someone?
For years, we have understood personal data in terms of the Data Protection Act 1998: that personal data is any data, whether by itself or when combined with any other data you possess or are likely to possess, by which a living individual is identifiable.
This includes any opinions or decisions pertaining to an individual, such as notes from performance review meetings, or recruitment notes on a candidate’s suitability for a role.
Under the GDPR, the definition of personal data has been expanded and is considered “any information relating to an identified or identifiable natural person”.
This means that if any data you hold can identify an individual, either directly or indirectly, then it is considered personal data. If an individual can be identified by reference to “an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” then it is personal data.
For organisations, this includes work email addresses, company car details, and work phone numbers. An email address, whether it is email@example.com or ITmanager@company.co.uk or even shared email addresses can identify an individual, either on their own or by processing other data.
There are several ways in which a law firm could find itself vulnerable to a personal data breach. The following scenarios describe the risk and outline what protective measures can be taken.
Mergers and Acquisitions
A personal data breach includes unauthorised disclosure of, or access to personal data. A legal firm could therefore be held responsible for a personal data breach if its clients’ data is inappropriately accessed due to lack of internal controls.
Legal firms are often most at risk of this type of breach during a mergers and acquisitions engagement. Failure to plan and implement appropriate internal controls during such times leaves legal firms extremely vulnerable.
During a legal firm merger we often see unsophisticated methods of attempting to address this issue by either everyone joining the firm is denied access, or they are given unrestricted access to everything. The former solution is not conducive to the seamless integration of new team members, creating inefficiency and harming employee morale. The latter, while enabling access to those who require it, also enables individuals who should not have permission to access the same files. This crude solution is extremely inadvisable as it creates a large security risk.
A worst-case scenario would be a deliberate attempt by a disgruntled employee to harm their employer by destroying, altering, or disclosing invaluable information. The financial and reputational damage following such an incident could be severe.
Appropriate solutions, although more time and resource intensive, provide the best protection against a personal data breach. One solution is to set up a system of permissions, whereby internal documents are marked and classified accordingly.
An alternative is to create and manage an active directory. The benefit of this system is that it enables permissions to be set by grouping people together based on their role and personal access status within the firm, so whole teams can be permitted or denied access.
However, when an active directory is not administered well, users inherit access rights they should not have. This can occur following a change in role within the company where the new access rights for the role are simply appended to the original profile, and so the user retains the permissions from their previous position. We recommend companies allow heads of departments access to view the active directory, as these heads are in the best position to confirm which users should be permitted access.
Cyber criminals target the legal sector by monitoring emails being sent between staff and individuals. Communication is then intercepted at a crucial moment, such as when the individual is asked to send a deposit. Having intercepted the email, the cyber-criminal alters the bank details, resulting in the payment being sent to a different bank account. In this scenario, the solicitor will only become aware of the breach when the money fails to arrive days, or even weeks, later.
Utilising digital signatures or secure email platforms provides a guarantee that the documents come from a known sender, and have not been altered in transit.
You can also utilise software to encrypt emails and attachments. Encryption offers additional protections should a breach take place, rendering the information unreadable and therefore useless to the hacker. The GDPR will require affected parties and authorities to be notified in the event of a breach within 72 hours, but provides a safe harbour if the data that is stolen has been adequately encrypted. The extent of an investigation will be greatly reduced, and the level of fine and any subsequent personal litigation will be minimal if not zero.
Sharing of passwords
Another risk arises when passwords are shared or written down. When in court during a case, it may be necessary to phone a colleague to ask for information or documents to be sent via email. You may need to provide your password for your colleague to access them. This is where 2 factor authentication can provide an additional layer of security. In addition to your password, you could be sent a code to your phone, for example, which you are also required to enter to access restricted documents. You could provide your colleague with the code, knowing that it would only be valid for use once, and that your colleague would be unable to log in again with your password without also receiving a newly generated code.
These are all simple ways to improve your firm’s security. It is essential that information security is a priority for the legal sector. Law firms that fail to plan and implement organisational protective measures expose themselves to great risk.