This article is the first in a series by CMS’ Cyber Team exploring the impact of cyber breaches on different professions.
In the first of CMS' Cyber Team's Cyber and Professions Series, Amit Tyagi and Lucy Thomas explore the impact of cyber breaches on law firms; what their regulatory obligations are following a breach and what steps law firms should take to minimise the risk of a cyber attack.
In recent years, law firms have had to adapt to their operations increasingly moving ‘on-line’; from virtual signings to serving pleadings via email. The challenges associated with this trend have been further enhanced by the COVID-19 pandemic, which has seen the vast majority of fee-earners working from home and meetings and hearings being exclusively held via video link.
Law firms are seen as valuable targets by cyber criminals due to the possession of sensitive information, ranging from client’s personal information to market sensitive data, and the often large sums of monies held on account. COVID-19 has left the legal industry more vulnerable to cyber attacks than ever before due to the decreased levels of security associated with a home-based office and the need for law firms to quickly adapt their working practices in light of the pandemic. The Solicitors Regulation Authority (“SRA”) and the National Cyber Security Centre (“NCSC”) have both issued warnings against increased risk of cyber attacks on law firms.
Examples of cyber breaches solicitors may experience
Business email compromise such as phishing emails allowing bad actors to infiltrate the firm’s IT systems under the guise of a colleague or client;
Social engineering attacks such as seeking to procure the diversion of funds as part of a transaction;
Ransomware attacks where bad actors encrypt client files and demand payment in exchange for a decryption key;
Bad actors accessing confidential virtual meetings because of the security issues associated with new web-conferencing software; and
Targeted data breaches given law firms frequently hold sensitive personal and commercial data on behalf of clients.
What are the Regulatory obligations when a Solicitor’s Firm suffers a breach?
If a law firm suffers a cyber breach, reporting obligations may arise to the SRA and/or the Information Commissioner’s Office (“ICO”), depending on the type of data that has been compromised and the extent of the breach.
Notification of a data breach to the ICO by a data controller must be completed no later than 72 hours after the controller has become aware of a data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 34 (1) of the GDPR obliges data controllers to notify individuals where “the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms”.
Controllers are required to have a process in place to assess the risks to data subjects posed by the breach. This assessment should focus on the severity and likelihood of the potential negative consequences of the breach on the data subject. When assessing whether to report, the controller will need to consider the type of breach, sensitivity and volume of the personal data involved, how easily individuals can be identified from it, the potential consequences and the characteristics of the individual or the controller. In our experience, generally law firms will be required to notify data subjects of a breach as the types of data law firms hold are usually confidential and/or sensitive, and the compromise of that data usually merits notification.
Due to the trust placed in solicitors and the obligations imposed upon them regarding client confidentiality, law firms often hire dedicated PR representation to manage the communication with individuals impacted by the breach to avoid any adverse reputational impact.
If a law firm suffers a data breach or client money has been stolen, firms are required to notify the SRA, irrespective if the information or money has been later recovered. Paragraph 6.3 of the Solicitors’ Code of Conduct requires solicitors to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents and a data breach is in direct contravention of this duty. In circumstances in which funds have been lost, the SRA requires the firm to inform the client, repay any client money lost and prove that enhanced security steps have been taken to reduce further instances of such an incident. The SRA also recommends the firm contacts its bank to enquire whether lost funds can be replaced.
The Law Society recommends reviewing the firm’s professional indemnity and cyber insurance policies to determine what indemnity is potentially available, including for any lost funds.
When a law firm experiences a breach where client money has been stolen, firms must have special consideration for the Solicitors’ Code of Conduct, namely Rule 4 relating to client money and assets, and Accountancy Rules 2-4 relating to client’s money.
How should law firms minimise the risk of a cyber attack?
Whilst it is not possible to prevent all cyber breaches, there are ways of mitigating the risk. It is advisable to adopt a three-pronged approach: targeting the practices of employees and also investing in security systems, such as dual factor verification:
Regular cyber security training should be given to all employees across the firm to encourage good cyber hygiene, not just fee-earners. The scope of this training should be broadened in light of COVID-19 and employees should be made familiar with the associated perils of working from home such as the use of unsecured WiFi, personal devices or printing out confidential information on public printers. Employees should also be aware of the specific attacks likely to occur relative to their department, for example a corporate team should be wary of being targeted when transferring funds on completion of a deal and an intellectual property team should be alert to the risks of attacks targeting industrial espionage.
Firms should invest in and employ adequate antivirus software, data encryption and two factor authentications. Frequent back-ups of the firm’s systems are highly encouraged in case of a ransomware attack. It is advisable to have several copies of important data held on separate systems off-site. Law firms should also consider updating their internal policies in light of COVID-19 to ensure that employees have a workable and yet robust framework when carrying out tasks that are susceptible to attack from bad actors. These policies should be regularly reviewed to ensure they are up to date and reflect the latest security recommendations.
Arrange for appropriate cyber insurance cover and ensure that it sufficiently mitigates the impact of cyber attacks particular to law firms, as detailed above.
CMS runs a dedicated 24/7/365 emergency response facility that can be accessed in the event of a cyber attack. If you would like to know more about their work, click here. If you do not have an emergency but want to learn more please contact the authors.