Law firms are increasingly becoming the target of Cybercriminals, driven by a perception that the industry's attempts to address security measures still lag behind other professional sectors. Understandably, much of the recent focus in the UK has been on those firms that have fallen victim to the 'Friday Afternoon' frauds. Typically aimed at conveyancing firms holding completion funds, the fraudsters use a range of methods to extract monies from firms' client accounts. Often this involves hacking into a client's or a firm's email account before redirecting the funds to a different bank account.
Undoubtedly these frauds have resulted in significant losses and the SRA has rightly been keen to highlight the risks. But it would be complacent to think that the threat of Cybercrime is confined to conveyancing firms on a specific day of the week, or even purely to the theft of money. It was recently revealed that 2 magic circle firms were specifically targeted by hackers seeking information of mergers and acquisitions. The particular attraction of large international firms goes beyond any money that they may hold on client account. Described as a 'treasure trove' of information, hackers are incentivised by the vast amounts of highly sensitive commercial data that these firms hold for their clients, often relating to confidential negotiations and trade secrets.
Once captured, hackers will seek to exploit this in one or more ways. Either they manipulate the data for their own use or trade the stolen data on anonymous black market websites. Alternatively, they will look to extort money from the compromised firm by threatening to make the data public unless a ransom sum is paid.
The founding partner of Mossack Fonseca (the now renowned Panamanian law firm at the centre of the confidential financial data leak which saw the unauthorised release of 11 million documents) has disputed any suggestion of an 'inside job'. He claims that the firm was the victim of an external hack. If correct, this shows how the mass release of this type of data through external intrusion can reverberate far and wide.
This situation has not yet arisen in the UK, at least on this scale. Some say it is only a matter of time before a high profile firm suffers a similar attack and it is easy to foresee the severe consequences that could follow. To name a few:
- The legal industry is centred on the core principles of trust and confidentiality. A high profile data breach will doubtless lead to major clients questioning their choice of legal representation.
- The unauthorised release of a client's commercially sensitive data (whether trade secrets or information about potential merges) has the clear potential to harm the business of that client. Any losses could potentially see the client turn to its lawyers to make good.
- Tighter Data Protection regulations (under the proposed European Data Protection Regulations), which are likely to come into force in 2018, will enable the regulator to impose much higher penalties than is currently the case. Potentially as much as €10,000,000 or 2% of global turnover, whichever is the higher.
What should law firms do?
There is a tendency to think that the profession has still not grasped the seriousness of Cybersecurity and that attitudes will only change when a top firm suffers a large scale attack. However, it is fair to say that a heightened focus on data security has emerged over the last year or so with many firms taking steps to improve their cyber defences. The reality is that hackers deploy daily attacks in the form of phishing emails and malware downloads, all in the hope that one will eventually penetrate. For all size firms, this requires continuous monitoring and testing of the security systems in place, including:
- Making sure that antivirus software is updated regularly and is responsive to the latest malware.
- Updating spam filters so that suspicious emails are blocked.
- Increasing login credentials for remote access and hand held devices.
- Continuous review of any unusual system access and data extraction.
Unfortunately, prevention is not always possible and hackers are often one step ahead. Equally as important is the implementation of robust breach response measures so that successful attacks are contained as quickly as possible.
- Early technical assistance to identify if, when and where a breach has been suffered.
- Prompt assessment of notification obligations to third parties and regulators.
- System restoration and business continuity strategy.
- Reputational issues addressed at an early stage.