Information held by law firms is increasingly becoming a target for hackers. This is hardly surprising, given the sensitive information often entrusted to law firms by their clients. Hackers’ motives include corporate espionage, IP theft, access to market-sensitive data, blackmail and extortion. Law firms should already be alive to the risks but the issue needs to be further up the agenda, as the threats get ever more sophisticated and the stakes get higher.
Law firms of all sizes are increasingly being targeted by cyber-attacks. This may take various forms, including 'spear phishing' (a targeted and personalised e-mail scam containing a malicious payload) and exploitation of software flaws. Gone are the days when the most sophisticated abuse of a law firm’s IT systems was a scam e-mail from a fake Nigerian general.
Third party service providers to corporate clients are often viewed as softer targets than the corporate targets themselves – the major attack on US retailer Target in 2013 was achieved through a spear phishing e-mail to the retailer’s air conditioning contractor which in turn had access to part of Target’s systems – and law firms are another example of this indirect attack vector.
For example, if a hacker knows that a boutique law firm is regularly sub-contracted by a Magic Circle firm to conduct the IP due diligence on major M&A deals, then gaining access to that law firm’s systems (and in turn to a data room treasure trove of information on a PLC) may prove easier, and more fruitful, than attacking the PLC directly.
The ongoing consumerisation of business technology may exacerbate the security threat. As law firms embrace concepts such as “bring your own device” (BYOD), or at least allow lawyers to download personal apps onto work smartphones, the risk of malware residing on a device that accesses client data increases. Clients will increasingly demand more collaborative approaches from their lawyers, including the ability to remotely access, and contribute to, draft documents and view WIP and billing data, providing legitimate routes through the law firm’s perimeter fence for third parties whose access credentials could be compromised.
The consequences for law firms of failing adequately to address the threat are significant and becoming more so. Firms face reputational damage, potential claims from corporate clients whose data is stolen and regulatory action by the SRA. Also, under the Data Protection Act, failure to apply appropriate security measures to protect personal data can result in a fine of up to £500,000 and damages claims from affected individuals.
However, the Data Protection Act is soon to be replaced by a new EU Regulation. This will impose an obligation to notify the Information Commissioner and affected individuals of data breaches and increase the potential fines to between 2% and 5% of turnover (the cap has yet to be finalised at the time of writing). It will also extend liability to entities that merely process personal data on behalf of clients.
All law firms should ensure an ongoing commitment to cyber security. This might include assessment of systems against the Government’s Cyber Essentials scheme, the Standard for Information Assurance for SMEs (IASME) and/or ISO 27001.
This article was published in Surrey Lawyer in January 2016.