Law firms have been too relaxed about cyber security considering the large amount of personal data and confidential information they hold, but with growing numbers of clients now making it a requirement, this could be about to change.
Berrymans Lace Mawer LLP technology, media and telecoms partner Nick Gibbons highlights the issue in an article for Solicitors Journal.
Law firms have become a prime target for cyber criminals because they keep vast quantities of valuable and sensitive confidential information belonging to their clients on their computer networks. They present an attractive 'stepping stone into their clients' computers.
Given that law firms regularly give advice on contentious and non-contentious intellectual property, technology, media and telecoms, financial services regulations, data protection law, the law of confidence, contract and tort law and insurance law this may seem peculiar.
You may also be surprised by the fact that only 14 per cent of law firms have cyber insurance, and those that do are not often uncertain whether their existing liability cover genuinely extends to cover any form of cyber incident.
Cyber risk has moved from being an esoteric risk to a mainstream concern for many larger businesses and is also moving up the SME agenda as a key risk.
Clients of law firms are entitled to expect that those that hold much of their most sensitive, valuable and confidential information and who may well have advised them on, for example, the legal requirements in the Data Protection Act will maintain and apply good technical, organisational and physical cyber security measures.
However, statistics suggest that the majority of lawyers are still not effectively addressing cyber security issues.
In the last decade businesses, professional firms and government organisations everywhere have moved from cardboard files to paperless offices running on computer networks, laptops, smart phones and, increasingly, remote computer servers in the cloud.
The use of computers and the internet has had huge benefits for businesses of every type, making cheaper to store and transfer large amounts of data, making remote working affordable and practical, and allowing access to information anywhere in the world.
Conversely, our new interconnected world is increasingly exposed to computer-related business interruption risks, cybercrime and industrial espionage. At the epicenter of this new world are professional firms and, in particular, law firms. Law firms, however, frequently hold many times the amount of data than an ordinary business for the very reason that they are the entities to which every other type of business looks for protection and advice.
For cyber criminals and industrial spies, law firms represent an Aladdin's cave of valuable information and assets belonging to hundreds if not thousands of companies, institutions and government agencies. It is an opportunity to disrupt all those organisations in a single attack.
Some law firm clients simply worry that lawyers represent the "soft underbelly" of cyber security within their network of advisers and business partners. Others, particularly in the financial services sector, have become so concerned about cyber security within law firms that they are making security audits a condition of engagement.
There are several reasons why the majority of law firms are still not addressing cyber security issues:
- Cyber risk management is often seen as nebulous, complex and expensive.
- Partners and senior management frequently don't really understand cyber risks in general and their own firms cyber risk profile in particular.
- Lawyers and staff within firms don't really understand these things either.
- Cyber risk management is frequently largely delegated to IT teams by partners and senior management in larger firms and to external consultants in smaller firms on the assumption that it is largely a technical issue.
- Lawyers wrongly assume that their existing insurance covers them for cyber risk and do not, therefore, buy cyber insurance.
- Lawyers tend to treat data protection issues/regulation as co-extensive with cyber risk and do not appreciate the gravity of other cyber risks.
- Lawyers tend to focus on law and regulation rather than practical cyber prevention measures when advising clients and when addressing cyber risk within their own firms.
1. Confidential information
The loss or theft of personal data is very serious but not as potentially fatal for a law firm as other types of cyber risk, in particular, the theft of confidential information and business interruption. Many people in the insurance and legal worlds still associate cyber risk almost exclusively with the loss or theft of personal data.
There are a number of possible reasons for this:
- Personal data was until relatively recently the favourite target of cyber criminals.
- Privacy and data protection legislation have received the greatest attention in the press.
- Lawyers specialising in personal data protection have tended to be given the job of addressing cyber security issues by their firms and clients, particularly in the insurance industry.
However, the loss or theft of confidential information (other than personal data) according to a Detica report for the UK government in 2011 costs the UK £23bn a year in comparison to a cost of £1bn in respect of personal data. A law firm is bound by inter alia the Legal Services Act, contract, tort and the law of confidence to look after confidential information belonging to its clients.
The theft and subsequent publication of confidential information held on a law firm's computer it could be damaging in the extreme for both the law firm and its clients:
- Unlike when trade secrets and research and development are made public, intellectual property assets protected, for example, as patents and design rights, they can be freely used by the public and lose their value.
- The disclosure of business or litigation strategies to competitors can be enormously damaging or even fatal to a business.
- Law firms often have hundreds of clients and, therefore, multiple exposure to this type of loss.
2. Personal data
Although far less a risk for law firms than the loss or theft of confidential information, the loss or theft of personal data is nevertheless still a very serious risk.
Stolen personal data can be used to access a businesses' own, its employees' and its business partners' and customers' bank and credit card accounts.
Additional losses may include: claims and legal costs by those whose money has been taken; the legal costs of dealing with the Information Commissioner; regulatory fines of up to £500,000 (this may go up to £100m or 5 per cent of global turnover when the new EC Data Rrotection Regulations come into force); losses associated with damage to reputation and the costs of communicating to those whose personal data has been lost or stolen.
Law firms will have not only their employees' personal data on their computer networks but also that of their clients and business partners. This data does may of course include financial and medical data.
3. Business interruption
Most law firms are now totally reliant for their day-to-day business on the robust functioning of their computer networks and are therefore vulnerable to computer downtime either as a result of technical faults in software/hardware or because of a denial of service (DoS) attack.
A denial of service attack occurs when a person causes a computer network belonging to a third party to crash, typically flooding the system with transactions beyond its capacity.
Denial of service attacks and computer malfunctions cause very rapidly escalating losses. The victim's employees, deprived of their computers, are unable to work and business partners and customers, who are reliant on the victim's services, are unable to function effectively without them.
4. Cyber extortion
Cyber extortion is a crime which involves a cyber attack, or threat of it, against an organisation coupled with a demand for money to stop the attack.
Cyber extortion may be based on various other types of cyber attacks including a DoS attack, the introduction of malicious code to corrupt, damage or destroy a computer system and/or digital assets, and "ransomware" that can be used to encrypt the target's data.
Cyber extortion costs businesses many millions of pounds every year. The majority of cyber extortion episodes go unreported because victims do not want the publicity.
Technical and human threats
Cyber threats, as distinct from the cyber exposures previously described, can be human or technical, or both. Although it is possible that a law firm could be compromised solely through the use of malware, access to its computer network could also be achieved simply by tricking a receptionist into giving away his or her password or as a result of cybercriminals gaining physical access to a law firm's premises.
Cyber security cannot therefore be achieved by wholesale delegation, delegating cyber security to an IT department or a consultant. One of the key cyber security problems in law firms at present is that many partners in many different law firms simply do not understand cyber risk themselves.
A law firm's partners and management must understand and own cyber risk so that they are in a position to introduce and enforce staff education policies and procedures and these must be followed on a routine basis by everybody in the firm.
Law firms are already bound by a number of different laws and regulations to address cyber security issues, including the SRA Code of Conduct, the Legal Services Act, the Data Protection Act, contract, tort and the law of confidence.
In November 2013, the Law Society published guidance on the use of cloud services by solicitors and the applicable regulation and law, and the Solicitors Regulation Authority issued its own recommendations and expectations in its Silver Linings report.
Many of the same legal and regulatory principles mentioned within these guidelines are just as applicable to the security measures within a law firm itself. More broadly new EU data protection rules are likely to lead to fines of up to 100m euros for businesses including law firms that cannot demonstrate that they have effective physical, organisational and technical security.