Law firms are the custodian of clients' intellectual property, commercially sensitive and personal information. They have sensitive information about their own employees. They use mobile devices such as laptops, blackberrys, smart phones and tablets. Law firms also deal with large sums of money, which is often moved to and from firms. There are security risks from a technology, people and processes perspective.
Law firms are therefore becoming an increasingly attractive target for hackers who may regard the law firms as a weak link in the information chain. According to the press on this subject, it appears that the incidence and severity of cyber risks is rising. It is a real problem and it is pervasive. Governments are worried about cyber security.
The SRA recently reported that the number of cyber attacks on law firms in particular is increasing - up to 50 firms have been the victims of such attacks this year. Between £40,000 and £2m has been stolen in each case.
- Hacking: client information is hacked and stolen.
- Spear phishing attack / email scams: for example, an associate receives an email that appears to be from a colleague, but the email in fact contains a virus which is downloaded onto the associate's computer and the firm's network redirecting sensitive emails and transferring standing orders. Clients have also been targeted with emails purporting to be from their firm, saying the firm’s bank details have changed and encouraging them to send money to the new account.
The SRA is advising law firms to update software security, use more complicated passwords and always check more than once if it really is the bank or client on the phone. Clients should also be made aware of the threats of cyber crime when they instruct a legal adviser.
Solicitors professional indemnity policies were designed to cover civil liability claims arising from the provision of professional services as solicitors. They were not created with cyber risks in mind, and cover for data breaches (incidents where confidential data has potentially been viewed, stolen or used by an individual unauthorised to do so) may therefore be limited. Law firms should therefore consider obtaining further cover, including cyber risk insurance policies which provide indemnity for liability claims arising from a data breach.